On 8 okt 2012, at 08:30, 刘硕 <[email protected]> wrote: > We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well. > But recently we decided to buy a HSM to replace SoftHSM to do signing work and > keys storage. After consulting with some of the HSM vendors here, we found out > that almost no devices can cooperate with OpenDNSSEC.
This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list What venders have you been talking to? > Take key generation for example, the vendors' HSM devices allow create keys > with > software API though they are both using PKCS#11, keys in HSM devices must be > created manually with administrator permission and it is the same case with > removing > keys. Yes, there exists HSMs (e.g., AEP) that can limit key generation and destruction and OpenDNSSEC can be set up to work with those. However, all keys must be created via PKCS#11. jakob -- Jakob Schlyter Kirei AB - http://www.kirei.se/ _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
