I got 8 replies. 2 ccTLD, 2 root Ops, almost everyone in s/w development or operational related roles, and some independent consultants.
Only one happy user, and I'd qualify that: they'd want a longterm migration plan off the device. This person is using Solaris. Everyone said avoid more than 255 keys on the device. Several said use the import/export mechanism. Two people explicitly mentioned the bad Linux driver. The overall tone of the (small sample) responses is: "this is not a good choice right now" My context is not DNSSEC, its RPKI, which has a far larger keypair requirement. Noting a suggestion to re-use keypairs, I'd still have to risk-manage future potential for multiple keys per hosted client, and exceed the on-card keystore size, so the suggestion to use the import/export features makes sense. Having said that, documentation on this is really scant, and its hard to confirm how easily you can manage this given there is no explicit OpenSSL PKCS11 support for managing PKCS12 wrapped objects, and you are therefore using a java or shell command to do the key import, followed by OpenSSL engine, followed by shell/java to remove the key. If you use a pure Java solution its probably more tenable. Thank you to everyone for the response. I hope this summary meets a sense of privacy, and OT posting. -G _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
