[Opendnssec-user] SoftHSM Setup Question

Rick van Rein (OpenFortress) rick at openfortress.nl
Fri Jun 21 11:51:55 UTC 2013


> I want to use OpenDNSSEC for ~15 Zones. Each zone will use their own keys (no key sharing) and the same policy for the beginning, but it should be possible to change the policy for a certain zone later. Thus I think it would be smart to start with 15 policies, although they all look the same.

It is wise to forego key sharing if you can -- and with the SoftHSM, that is certainly the case.

You'd still have the problem of importing a new policy into a zone that was acclimatised to the old policy, had timers setup and so on.  I'd bet it's hardly safer than migrating a zone from one policy to another.

We've actually edited policies at some point (for all zones tied to it) and re-imported it without difficulty; first on our stage platform, later live.  We may have been lucky.

Developers?  Is there a well-defined hackerish approach or set of constraints to stick to in order to do this safely?  It would be a rather valuable document, if not for anything else then at least to take the stress out of planning-ahead as it is done here.

> I wonder what is the best setup for the SoftHSM. Shall I use a single slot/token for all keys, or should I have a dedicated slot per policy/zone?

The slots are just "plug points" for tokens, a bit like ISA slots.  (Oops, I'm carbon-dating myself here… I meant to say ultra-micro-PCI-express of course)

I think you should only consider multiple tokens if you plan on taking out part of your zones to another hosting location.

Hope this helps,

More information about the Opendnssec-user mailing list