[bind10-dev] OpenDNSSEC HSM, was Planning for next sprint - input required

Jelte Jansen jelte at isc.org
Wed Dec 8 20:25:13 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/03/2010 09:07 PM, Shane Kerr wrote:
>>
>> OpenDNSSEC has quite a sexy interface for this; the only thing you pass around
>> are key identifiers, and it figures out by itself which HSM that is to be used
>> in. I suggest we take a similar approach (i.e. not only use pkcs#11 as the
>> general backend interface, but also abstract away from HSM's in use and
>> configuration).
> 
> I wonder if we can't just use this OpenDNSSEC code? After all, we've
> tried to minimize wheel-reinvention in BIND 10....
> 

not directly; it's BSD licensed c code, but the implementation uses ldns for dns
data structures and algorithm identifiers etc. So we'd at the very least have to
port it to use libdns++.

But it's quite small, actually, and before we write anything I would suggest we
take a look at the API for inspiration :)

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz/6akACgkQ4nZCKsdOncWhNQCePnGxP7CQALM4a9v/fGlpovO+
LfYAoIcjk18u6jCEnxeJjiJAkCnIi3vJ
=F5iV
-----END PGP SIGNATURE-----



More information about the bind10-dev mailing list