SoftHSM is an open source and completely free command-line software implemented in C++ and designed from the offset as to act as an implementation of a cryptographic store, which can be accessed only through a PKCS#11 interface.
The software can be easily used to explore PKCS#11 without having a HSM (Hardware Security Module) for OpenDNSSEC. It comes with a wide range of features implemented as command-line options, which can be viewed at a glance in the next section.
Features at a glance
Key features include support for signing DNS (Domain Name System) zones in order to seamlessly integrate them into an existing system, support for signing zone files, support for signing zone transfers via the AXFR (Authoritative Transfer) mechanism. Additionally, the program is fully automatic, supports manual key rollover (also known as emergency key rollover),
It’s scalable, flexible and secure
It’s a scalable software that can sing zones which contain numerous records, supports signing of one or multiple zones, and supports sharing of keys between zones. SoftHSM is also a very flexible application that lets you to easily define zone signing policy, such as signature interval, length of key or key lifetime.
The program is very secure and can be used on a wide variety of UNIX-like operating systems. It supports SHA2 and SHA1/RSA signatures, supports denial of existence via NSEC3 or NSEC, supports checking of the compatibility between OpenDNSSEC and HSM, offers a built-in auditing function that can be used to set up a DNSSEC (Domain Name System Security Extensions) testbed.
Among other interesting features, we can mention support for comparing outgoing signed zones with incoming unsigned zones, and uses the OpenDNSSEC software to store conscious cryptographic data in the Hardware Security Module (HSM), so it can communicate better with it via the industry-standard PKCS#11 interface.