HSM support - knot-dns-users - lists.nic.cz

List overview All Threads
Download

HSM support

knotc issue since 3.4.1

Knot DNS 3.3.10 release

Thomas Kuechenthal

6 Led 2025 6 Led '25

15:46

Hi Guys, a happy new year to all of you! Due to policy reasons we need to make knot use a HSM in the future. Is anybody successfully using some cloud based HSM services like Google Cloud HSM for DNSSEC signing? Any information is helpful, thanks! BR Thomas

Reply

Show replies by date

Daniel Salzman

6 Led 6 Led

20:08

Hi Thomas, Unfortunately, we don't have experience with cloud-based HSMs, but this one https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library.html appears to be feasible. Daniel On 1/6/25 15:46, Thomas Kuechenthal wrote:

Hi Guys, a happy new year to all of you! Due to policy reasons we need to make knot use a HSM in the future. Is anybody successfully using some cloud based HSM services like Google Cloud HSM for DNSSEC signing? Any information is helpful, thanks! BR Thomas --

Reply

Stefan Ubbink

8 Led 8 Led

8:42

On Mon, 6 Jan 2025 20:08:44 +0100 Daniel Salzman via knot-dns-users <knot-dns-users(a)lists.nic.cz> wrote:

Hi Thomas,

Hello Thomas,

Unfortunately, we don't have experience with cloud-based HSMs, but this one https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library.html appears to be feasible.

We have done some test with the AWS CloudHSM, but the performance was not good enough for our big .nl zone. (This was by using OpenDNSSEC, but I do not think that matters much.) With 1 AWS HSM, we saw an average of 262 sig/sec. With 2 AWS HSMs, we saw the average increase to 524 sig/sec. I hope this helps in you search.

On 1/6/25 15:46, Thomas Kuechenthal wrote: > Hi Guys, > > a happy new year to all of you! > > Due to policy reasons we need to make knot use a HSM in the future. > Is anybody successfully using some cloud based HSM services like > Google Cloud HSM for DNSSEC signing? > > Any information is helpful, thanks! > > BR > Thomas

-- Stefan Ubbink DNS & Systems Engineer Present: Mon, Tue, Wed, Fri SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands T +31 (0)26 352 55 00 https://www.sidn.nl

Reply

John Dickinson

7 Led 7 Led

17:56

On 06/01/2025 14:46, Thomas Kuechenthal wrote:

Hi Guys, a happy new year to all of you! Due to policy reasons we need to make knot use a HSM in the future. Is anybody successfully using some cloud based HSM services like Google Cloud HSM for DNSSEC signing?

I didn't realize that cloud HSMs are a thing. However we did very briefly think that a network HSM accessible by multiple signers would be a possible solution for Multi-Signer DNSSEC RFC8901. So I would be interested the hear of any experience people have with these. regards John -- John Dickinson Sinodun Internet Technologies Ltd.

Reply

11

days inactive

13

days old

knot-dns-users@lists.nic.cz

Manage subscription

3 comments

4 participants

tags (0)

participants (4)

Daniel Salzman
John Dickinson
Stefan Ubbink
Thomas Kuechenthal