[Opendnssec-user] Evaluation of SoftHSM

Rickard Bellgrim rickard at opendnssec.org
Sun Jun 26 18:10:43 UTC 2016


SoftHSMv2 is currently at version 2.1.0 and is considered a stable release.
I have now updated that wiki page.

If you do not have any external requirements, then yes, it is up to you
define how you should handle the keys for your zones.  The security level
of SoftHSM is not comparable to real HSM:s, it is more comparable to an
encrypted private key file (e.g. PKCS#8).

If your business is to provide a secure and reliable DNS service, then you
should consider using a HSM. But this depends on what type of customers you
have and what requirements they have. A large number of high value zones
will increase the probability that someone will try to steel the private
keys.

// Rickard

On Thu, Jun 23, 2016 at 9:22 PM, <opendnssec at arminpech.de> wrote:

> Hi there,
>
> I'm looking for appropriate components to setup a DNSSEC signer for
> several second level domains.
> The SoftHSM is quite interesting in terms of transparency, flexibility
> and replication or backup.
> A DNS operator is surely in charge to define the security level based on
> the requirements of the DNS zone to be signed.
> So would you refrain from using SoftHSM in production as storage backend
> for the key data?
> Is the SoftHSM v2 release marked as stable or are there any plans to do
> so? - The OpenDNSSEC wiki says it's the development release at the moment.
>
> Thanks for your effort in making DNSSEC deployments understandable and
> more simple by OpenDNSSEC :)
>
> Regards,
> Armin
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160626/ed50213a/attachment.htm>


More information about the Opendnssec-user mailing list