刘硕 shuoleo at 126.com
Mon Oct 8 06:30:15 UTC 2012

Hi all,

We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
But recently we decided to buy a HSM to replace SoftHSM to do signing work and
keys storage. After consulting with some of the HSM vendors here, we found out 
that almost no devices can cooperate with OpenDNSSEC. 

Take key generation for example, the vendors' HSM devices allow create keys with 
software API though they are both using PKCS#11, keys in HSM devices must be 
created manually with administrator permission and it is the same case with removing 

And we also found out that HSM device do not support <TokenLabel> which is used by
SoftHSM's slot, only KeyLabel is supported, that means it  designate a specific
key to do the signing work instead of the keys in a slot. 

In short, the HSM devices are designed not as flexible as OpenDNSSEC supposed they
should be, there are lots of incompatible places.

What should we do to avoid abandon using OpenDNSSEC? Are there any possibility that
people can do their own programming work with your APIs if they exist in order to
adapt with HSM devices?

Are there any body ever met the problem as ours?

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121008/6469dd2b/attachment.htm>

More information about the Opendnssec-user mailing list