[Opendnssec-user] SmartCard-HSM as key store for DNSSEC

Rick van Rein rick at openfortress.nl
Thu Mar 29 14:51:14 UTC 2012


Hello Andreas,

> We've designed a secure key store called SmartCard-HSM that implements
> secure generation, storage and use of asymmetric keys in a CC evaluated
> smart card (see flyer at [1]).

OK.  Please note that smart cards are very limited in the number of
objects that they can hold.  Before going live, please be very careful
to test KSK rollovers and at the same time ZSK rollovers; if they don't
fit on the card then you could be in trouble.  I suppose you are using
the <ShareKeys/> setup in your policies.

> In a next step we want to support key replication among a cluster of
> SmartCard-HSMs in order to implement load balancing and key backup. We
> have a draft concept for it, but would like to cross-check with actual
> user requirements in the DNSSEC area.

Whatever you do, please do it two-phase:

	ods-ksmutil backup prepare
	# cp /dev/sc1 /dev/sc2
	ods-ksmutil backup commit

This avoids trouble if keys are created halfway the exercise.


We spent more on bigger HSMs, and they came with a ready-made replication
setup; that works through a PKCS #11 library that clones all actions to
both HSMs, except for "reading" actions such as signing with an already
present key.


If you send us your proposed approach we might find it easier to punch
holes in it than responding to a request to dump our brains in a single
email ;-)


Cheers,
 -Rick



More information about the Opendnssec-user mailing list