[Opendnssec-user] RSA/SHA-256 signatures

Antti Ristimäki aristima at csc.fi
Wed Mar 24 13:40:27 UTC 2010


We were just wondering, in what form OpenDNSSEC passes the records to
the HSM for signing? Does the OpenDNSSEC signer compute the digest
itself and then only passes the digest to the HSM, or is it a task of
the HSM to compute the digest?

If the HSM computes the digest, I presume that the properties of the HSM
device dictate what hashing algorithms can be used when signing records?

In our case, the hardware HSM doesn't support SHA-256, but we would
still like to be able to support RSA/SHA-256 signatures. According to
the output of the "ods-hsmutil test", it seems that we are able to use
RSA/SHA-256 signatures. The question is, does the OpenDNSSEC use the HSM
in the same way as the ods-hsmutil?



More information about the Opendnssec-user mailing list