[Opendnssec-user]
Jakob Schlyter
jakob at kirei.se
Mon Oct 8 06:55:05 UTC 2012
On 8 okt 2012, at 08:30, 刘硕 <shuoleo at 126.com> wrote:
> We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
> But recently we decided to buy a HSM to replace SoftHSM to do signing work and
> keys storage. After consulting with some of the HSM vendors here, we found out
> that almost no devices can cooperate with OpenDNSSEC.
This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list
What venders have you been talking to?
> Take key generation for example, the vendors' HSM devices allow create keys with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with removing
> keys.
Yes, there exists HSMs (e.g., AEP) that can limit key generation and destruction and OpenDNSSEC can be set up to work with those. However, all keys must be created via PKCS#11.
jakob
--
Jakob Schlyter
Kirei AB - http://www.kirei.se/
More information about the Opendnssec-user
mailing list