Appendices¶
Compatible PKCS #11 Devices¶
This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support.
| Key generate | Key import | ED25519 256-bit | ECDSA 256-bit | ECDSA 384-bit | RSA 1024-bit | RSA 2048-bit | RSA 4096-bit | |
|---|---|---|---|---|---|---|---|---|
| Feitian ePass 2003 | yes | no | no | no | no | yes | yes | no |
| SafeNet Network HSM (Luna SA 4) | yes | no | no | no | no | yes | yes | yes |
| SoftHSM 2.0 [1] | yes | yes | yes | yes | yes | yes | yes | yes |
| Trustway Proteccio NetHSM | yes | ECDSA only | no | yes | yes | yes | yes | yes |
| Ultra Electronics CIS Keyper Plus (Model 9860-2) | yes | RSA only | no | yes | yes | yes | yes | yes |
| Utimaco SecurityServer (V4) [2] | yes | yes | no | yes | yes | yes | yes | yes |
| [1] | Algorithms supported depend on support in OpenSSL on which SoftHSM relies. A command similar to the following may be used to verify what algorithms are supported: $ pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M. |
| [2] | Requires setting the number of background workers to 1! |
The following table summarizes supported DNSSEC algorithm numbers and minimal GnuTLS library version required. Any algorithm may work with older library, however the supported operations may be limited (e.g. private key import).
| Numbers | GnuTLS version | |
|---|---|---|
| ED25519 | 15 | 3.6.0 or newer |
| ECDSA | 13, 14 | 3.4.8 or newer |
| RSA | 5, 7, 8, 10 | 3.4.6 or newer |
