shuoleo at 126.com
Mon Oct 8 06:30:15 UTC 2012
We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
But recently we decided to buy a HSM to replace SoftHSM to do signing work and
keys storage. After consulting with some of the HSM vendors here, we found out
that almost no devices can cooperate with OpenDNSSEC.
Take key generation for example, the vendors' HSM devices allow create keys with
software API though they are both using PKCS#11, keys in HSM devices must be
created manually with administrator permission and it is the same case with removing
And we also found out that HSM device do not support <TokenLabel> which is used by
SoftHSM's slot, only KeyLabel is supported, that means it designate a specific
key to do the signing work instead of the keys in a slot.
In short, the HSM devices are designed not as flexible as OpenDNSSEC supposed they
should be, there are lots of incompatible places.
What should we do to avoid abandon using OpenDNSSEC? Are there any possibility that
people can do their own programming work with your APIs if they exist in order to
adapt with HSM devices?
Are there any body ever met the problem as ours?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user