Appendices¶
Compatible PKCS #11 Devices¶
This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support.
| Key generate | Key import | ED25519 256-bit | ECDSA 256-bit | ECDSA 384-bit | RSA 1024-bit | RSA 2048-bit | RSA 4096-bit | |
|---|---|---|---|---|---|---|---|---|
| Feitian ePass 2003 | yes | no | no | no | no | yes | yes | no |
| SafeNet Network HSM (Luna SA 4) | yes | no | no | no | no | yes | yes | yes |
| SoftHSM 2.0 | yes | yes | no | yes | yes | yes | yes | yes |
| Trustway Proteccio NetHSM | yes | ECDSA only | no | yes | yes | yes | yes | yes |
The following table summarizes supported DNSSEC algorithm numbers and minimal GnuTLS library version required. Any algorithm may work with older library, however the supported operations may be limited (e.g. private key import).
| Numbers | GnuTLS version | |
|---|---|---|
| ED25519 | 15 | 3.6.0 or newer |
| ECDSA | 13, 14 | 3.4.8 or newer |
| RSA | 5, 7, 8, 10 | 3.4.6 or newer |
