[Opendnssec-user] RSA/SHA-256 signatures

Rickard Bellgrim rickard.bellgrim at iis.se
Wed Mar 24 13:54:45 UTC 2010

> We were just wondering, in what form OpenDNSSEC passes the records to
> the HSM for signing? Does the OpenDNSSEC signer compute the digest
> itself and then only passes the digest to the HSM, or is it a task of
> the HSM to compute the digest?

We compute the digest using ldns and then sign it using the mechanism CKM_RSA_PKCS in the HSM.

> If the HSM computes the digest, I presume that the properties of the HSM
> device dictate what hashing algorithms can be used when signing records?

It is only MD5 that is sent to the HSM, since ldns cannot do MD5 hashes. SHA1, SHA256, and SHA512 is done in software.

> In our case, the hardware HSM doesn't support SHA-256, but we would
> still like to be able to support RSA/SHA-256 signatures. According to
> the output of the "ods-hsmutil test", it seems that we are able to use
> RSA/SHA-256 signatures. The question is, does the OpenDNSSEC use the HSM
> in the same way as the ods-hsmutil?

The result from ods-hsmutil is equal to how OpenDNSSEC uses the HSM. Both uses the internal library libhsm.

// Rickard

More information about the Opendnssec-user mailing list