Knot DNS
Knot DNS is a high-performance authoritative DNS server. It supports many modern DNS features, including automatic DNSSEC signing. While its high performance makes it well-suited for root and TLD name servers, you can also use it as an authoritative DNS server for ordinary domains.
Knot DNS can integrate with HSM via the PKCS#11 API, allowing it to delegate key generation and signing to an HSM. Through this integration you can keep your DNSSEC signing keys securely in a tamper-proof, high-performance HSM. This allows for professional key management throughout the key lifecycle, including key generation, backup, and rollover.
For an introduction to how DNSSEC works, including how zones are signed and the roles of Zone Signing Keys (ZSK) and Key Signing Keys (KSK), see this article from Cloudflare.
Benefits
- Secure your DNS: Sign your DNS zone with DNSSEC for integrity and authentication.
- Secure your keys: Keep your DNSSEC signing keys securely inside a Primus HSM.
- High-availability: Deploy your Primus HSMs as an auto-syncing, geo-redundant cluster.
- High-performance:
- A single X2-series Primus HSM can deliver thousands of EC key generations per second and tens of thousands of EC signatures per second. Performance scales linearly with the number of devices in a cluster.
- Key generation is required during ZSK and KSK rollovers. Signing is required whenever the zone changes, such as when records are added or updated.
Getting Started
Follow the installation guide to learn how to set up Knot DNS together with a Primus HSM.