[Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM

Roman Serbski mefystofel at gmail.com
Mon May 16 16:54:58 CEST 2016


Please disregard it -- everything is working fine now. I had a typo in
kasp.xml which prevented loading of the new policy.

Still have a couple of questions:

- in most of the examples I've found on the Internet people use HSM to
store KSKs and SoftHSM for ZSKs. Is it mainly to save some HSM space?

- in my case, a newly created domain consumed 2768 bytes (I store both
public and private keys for KSK and ZSK). With the current partition
size I should be able to handle up to 150 domains, but I guess I'll
also have to consider an overhead during roll-over which will
temporarily double the consumed space? Will OpenDNSSEC purge old
ZSK/KSKs after the roll-over is finished or I'll have to delete them
manually?

Thank you.

On Sun, May 15, 2016 at 6:24 PM, Roman Serbski <mefystofel at gmail.com> wrote:
> And here is the output of vtl and lunacm commands:
>
> # /usr/safenet/lunaclient/bin/vtl listSlots
> Number of slots: 3
>
> The following slots were found:
>
> Slot Description          Label                            Serial #
>      Status
> ==== ==================== ================================
> ================ ============
>    0 LunaNet Slot         TEST                             499171985
>      Present
>    1 LunaNet Slot         TEST                             455671429
>      Present
>    5 HA Virtual Card Slot TESTHA                           1137913123
>      Present
>
> # /usr/safenet/lunaclient/bin/lunacm
> LunaCM v6.2.0-15. Copyright (c) 2006-2015 SafeNet, Inc.
>
>         Available HSMs:
>
>         Slot Id ->              0
>         HSM Label ->            TEST
>         HSM Serial Number ->    499171985
>         HSM Model ->            LunaSA 6.2.0
>         HSM Firmware Version -> 6.10.9
>         HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
>         HSM Status ->           OK
>
>         Slot Id ->              1
>         HSM Label ->            TEST
>         HSM Serial Number ->    455671429
>         HSM Model ->            LunaSA 6.2.0
>         HSM Firmware Version -> 6.10.9
>         HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
>         HSM Status ->           OK
>
>         Slot Id ->              5
>         HSM Label ->            TESTHA
>         HSM Serial Number ->    1137913123
>         HSM Model ->            LunaVirtual
>         HSM Firmware Version -> 6.10.9
>         HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode
>         HSM Status ->           N/A - HA Group
>
>         Current Slot Id: 0


More information about the Opendnssec-user mailing list