[Opendnssec-user] Evaluation of SoftHSM

Rickard Bellgrim

2016-06-26 18:10:43 UTC

SoftHSMv2 is currently at version 2.1.0 and is considered a stable release.
I have now updated that wiki page.

If you do not have any external requirements, then yes, it is up to you
define how you should handle the keys for your zones. The security level
of SoftHSM is not comparable to real HSM:s, it is more comparable to an
encrypted private key file (e.g. PKCS#8).

If your business is to provide a secure and reliable DNS service, then you
should consider using a HSM. But this depends on what type of customers you
have and what requirements they have. A large number of high value zones
will increase the probability that someone will try to steel the private
keys.

// Rickard

Post by o***@arminpech.de
Hi there,
I'm looking for appropriate components to setup a DNSSEC signer for
several second level domains.
The SoftHSM is quite interesting in terms of transparency, flexibility
and replication or backup.
A DNS operator is surely in charge to define the security level based on
the requirements of the DNS zone to be signed.
So would you refrain from using SoftHSM in production as storage backend
for the key data?
Is the SoftHSM v2 release marked as stable or are there any plans to do
so? - The OpenDNSSEC wiki says it's the development release at the moment.
Thanks for your effort in making DNSSEC deployments understandable and
more simple by OpenDNSSEC :)
Regards,
Armin
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user