[Opendnssec-develop] How to replicate signer-stuck with SoftHSM

Rickard Bellgrim rickard at opendnssec.org
Mon May 13 13:10:42 UTC 2013

> I imagine this scenario:
>  - Enforcer creates keys in one view, say on HSM #1
>  - Enforcer creates signconf
>  - Enforcer sends an update for the zone to the Signer
>  - Signer looks up keys from another view, possibly on HSM #2
>  - This view does not contain the keys yet
>      --> we'd have to establish if this is PKCS #11 compliant (making it a
> Signer bug) or not (making it an HSM bug)
Clustering is handled outside of PKCS#11, but it is part of the HSM
software. If an HSM generates a key pair, then another application should
be able to us it. If not, then there is something wrong with the clustering
code in the HSM. It is not High-Availability, but maybe

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130513/7bd52ff3/attachment.htm>

More information about the Opendnssec-develop mailing list