Jakob Schlyter jakob at kirei.se
Mon Oct 8 06:55:05 UTC 2012

On 8 okt 2012, at 08:30, 刘硕 <shuoleo at 126.com> wrote:

> We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
> But recently we decided to buy a HSM to replace SoftHSM to do signing work and
> keys storage. After consulting with some of the HSM vendors here, we found out
> that almost no devices can cooperate with OpenDNSSEC.

This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list

What venders have you been talking to?

> Take key generation for example, the vendors' HSM devices allow create keys with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with removing
> keys.

Yes, there exists HSMs (e.g., AEP) that can limit key generation and destruction and OpenDNSSEC can be set up to work with those. However, all keys must be created via PKCS#11.


Jakob Schlyter
Kirei AB - http://www.kirei.se/

More information about the Opendnssec-user mailing list