[Opendnssec-develop] How to replicate signer-stuck with SoftHSM
Rickard Bellgrim
rickard at opendnssec.org
Mon May 13 13:10:42 UTC 2013
> I imagine this scenario:
> - Enforcer creates keys in one view, say on HSM #1
> - Enforcer creates signconf
> - Enforcer sends an update for the zone to the Signer
> - Signer looks up keys from another view, possibly on HSM #2
> - This view does not contain the keys yet
> --> we'd have to establish if this is PKCS #11 compliant (making it a
> Signer bug) or not (making it an HSM bug)
>
>
Clustering is handled outside of PKCS#11, but it is part of the HSM
software. If an HSM generates a key pair, then another application should
be able to us it. If not, then there is something wrong with the clustering
code in the HSM. It is not High-Availability, but maybe
Availability-With-Some-Delay.
// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130513/7bd52ff3/attachment.htm>
More information about the Opendnssec-develop
mailing list