[Opendnssec-user] How to get started with SoftHSM + OpenDNSSEC?

Eivind Olsen eivind at aminor.no
Sat Feb 5 16:07:55 UTC 2011


Let me first say I'm fairly new to HSM's, PKCS etc., so some of these
questions might be fairly obvious to most of you. I have tried to look
through the OpenDNSSEC website + the mailinglist, but so far I haven't
found anything (but I could have missed it, that has happened before).

Some background information:
I thought I'd try out OpenDNSSEC for some of my own zones, to see how it
can be used etc.
Since this is (initially) just for myself, I'll not be spending money on a
hardware HSM, so I'm planning on using the SoftHSM, preferrably on
FreeBSD. The basic concept should still be the same if I ever get to do
this in a larger scale with more stringent security requirements, but I'd
then quite possibly be using a hardware HSM solution instead of the

I have already DNSSEC-ified one of my zones (bohrnag.org, I'm not claiming
to necessarily have done it 100% correctly), but I thought I'd rearrange
my DNS setup a bit, using a hidden master (BIND) to allow NSUPDATE,
feeding that unsigned zone through OpenDNSSEC and then finally to the
externally reachable servers.

Now, on to the bit I'm not so sure about - SoftHSM. I don't have any
experience with KPCS#11 / #8, HSMs etc., so some of the concepts are
fairly new to me.
This is how I understand things though:

First, I initialize the SoftHSM database/tokens with
# softhsm --init-token --slot 0 --label "OpenDNSSEC"
I type a SO PIN and a user PIN, and it's the user PIN I'll be using from
now on.
Then, I have converted the existing BIND .private keys to PKCS#8, ending
with a .pem file for the ZSK and another for the KSK:
# softhsm-keyconv --topkcs8 --in Kbohrnag.org.+005+15483.private --out
(and then the KSK)

I can now import the keys to the SoftHSM database:
# softhsm --import --slot 0 --label "bohrnag.org ZSK" --id 
. --pin (user

Am I meant to just make up a unique ID for the "--id" part? Perhaps just
incrementing by 1 every time?
Is there any "best practices" regarding what to put as the label?
And will I assign a separate "--slot" for each key?
Is there some way I can list the contents of the SoftHSM database? Such
as, seeing which keys are in it? "softhsm --show-slots" only lists the
slots, not the keys kept there.

Am I somewhat on the right track, or have I gotten it all completely wrong?

Eivind Olsen

More information about the Opendnssec-user mailing list