Hi all,
We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
But recently we decided to buy a HSM to replace SoftHSM to do signing work and
keys storage. After consulting with some of the HSM vendors here, we found out
that almost no devices can cooperate with OpenDNSSEC.
Take key generation for example, the vendors' HSM devices allow create keys
with
software API though they are both using PKCS#11, keys in HSM devices must be
created manually with administrator permission and it is the same case with
removing
keys.
And we also found out that HSM device do not support <TokenLabel> which is used
by
SoftHSM's slot, only KeyLabel is supported, that means it designate a specific
key to do the signing work instead of the keys in a slot.
In short, the HSM devices are designed not as flexible as OpenDNSSEC supposed
they
should be, there are lots of incompatible places.
What should we do to avoid abandon using OpenDNSSEC? Are there any possibility
that
people can do their own programming work with your APIs if they exist in order
to
adapt with HSM devices?
Are there any body ever met the problem as ours?
Best regards,
Stuart
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
