Appendices

Compatible PKCS #11 Devices

This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support.

Key generate

Key import

ED25519 256-bit

ECDSA 256-bit

ECDSA 384-bit

RSA 1024-bit

RSA 2048-bit

RSA 4096-bit

Feitian ePass 2003

yes

no

no

no

no

yes

yes

no

SafeNet Network HSM (Luna SA 4)

yes

no

no

no

no

yes

yes

yes

SoftHSM 2.0 1

yes

yes

yes

yes

yes

yes

yes

yes

Trustway Proteccio NetHSM

yes

ECDSA only

no

yes

yes

yes

yes

yes

Ultra Electronics CIS Keyper Plus (Model 9860-2)

yes

RSA only

no

yes

yes

yes

yes

yes

Utimaco SecurityServer (V4) 2

yes

yes

no

yes

yes

yes

yes

yes

1

Algorithms supported depend on support in OpenSSL on which SoftHSM relies. A command similar to the following may be used to verify what algorithms are supported: $ pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M.

2

Requires setting the number of background workers to 1!

The following table summarizes supported DNSSEC algorithm numbers and minimal GnuTLS library version required. Any algorithm may work with older library, however the supported operations may be limited (e.g. private key import).

Numbers

GnuTLS version

ED25519

15

3.6.0 or newer

ECDSA

13, 14

3.4.8 or newer

RSA

5, 7, 8, 10

3.4.6 or newer