[Opendnssec-user] Questions about ODS and SoftHSM
Jake Zack
jake.zack at cira.ca
Wed Jun 17 14:24:04 UTC 2015
Assuming 2048 KSK, 1024 ZSK...
Would SoftHSM function properly with KSK+ZSK+rollover for 100,000 domains concurrently? Can it manage a few hundred thousand keys?
Is anyone using SoftHSM for doing mass-signing of tons of zones - all using separate keys?
How does OpenDNSSEC handle being sent a sign command for several zones at once?
Is there a maximum number of keys that SoftHSM can store?
Any limitations in the PKCS library that'd break the mass signing of tons of zones?
If someone else is doing this...I assume they have more than one signing machine with the kaspdb being replicated between signers...is there a graceful way of doing this?
What about file locking under kaspdb? I've noticed even with signing one zone with physical HSM (.CA), I'll occasionally get back a file lock when either monitoring and/or enforcerd is in the middle of something...if SoftHSM were sent a few hundred key creations at once for new customers being on-boarded, would that cause locking issues for signing that'd be ongoing at the same time?
If anyone out there has any other advice or 'gotchas' for someone looking to do a wide scale ODS/SoftHSM deployment for a large number of domains, I'd love any advice/feedback I could get.
Thanks all,
-Jacob Zack
Sr. DNS Administrator - CIRA (.CA TLD)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150617/59df77a0/attachment.htm>
More information about the Opendnssec-user
mailing list