Navigation

Appendices

Compatible PKCS #11 Devices

This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support.

  Key generate Key import ED25519 256-bit ECDSA 256-bit ECDSA 384-bit RSA 1024-bit RSA 2048-bit RSA 4096-bit
Feitian ePass 2003 yes no no no no yes yes no
SafeNet Network HSM (Luna SA 4) yes no no no no yes yes yes
SoftHSM 2.0 yes yes no yes yes yes yes yes
Trustway Proteccio NetHSM yes ECDSA only no yes yes yes yes yes
Ultra Electronics CIS Keyper Plus (Model 9860-2) yes RSA only no yes yes yes yes yes
Utimaco SecurityServer (V4) [1] yes yes no yes yes yes yes yes
[1]Requires setting the number of background workers to 1!

The following table summarizes supported DNSSEC algorithm numbers and minimal GnuTLS library version required. Any algorithm may work with older library, however the supported operations may be limited (e.g. private key import).

  Numbers GnuTLS version
ED25519 15 3.6.0 or newer
ECDSA 13, 14 3.4.8 or newer
RSA 5, 7, 8, 10 3.4.6 or newer

Table Of Contents

Previous topic

Migration

This Page

Navigation

© Copyright Copyright 2010–2021, CZ.NIC, z.s.p.o.. Created using Sphinx 1.1.3.