Integrating BIND97 with softHSM (pkcs11)
Дима Коваленко
crutch.kov at gmail.com
Wed Oct 20 07:13:18 UTC 2010
Hello
I tried to build bind-9.7.2-p2 with openssl and pksc11 as described in ARM97
(Section 4.11.2), for pkcs11-provider I used library from SoftHSM-1.2.0 (the
goal is to use SoftHSM as dnssec key storage with BIND). I built it but
finally named failed to start. Here is log messages:
Oct 15 14:08:45 dnssec-master1 named[41316]: starting BIND 9.7.2-P2 -c
/etc/namedb/named.conf -t /srvs/named -u bind
Oct 15 14:08:45 dnssec-master1 named[41316]: built with '--enable-threads'
'--with-pkcs11=/usr/local/lib/libsofthsm.so' '--with-openssl=/usr/local'
Oct 15 14:08:45 dnssec-master1 named[41316]: initializing DST: no engine
Oct 15 14:08:45 dnssec-master1 named[41316]: exiting (due to fatal error)
OpenSSL-0.9.8l was built with a BIND patch and pkcs11 engine is available:
>openssl
OpenSSL> version
OpenSSL 0.9.8l 5 Nov 2009
OpenSSL> engine pkcs11 -t
(pkcs11) PKCS #11 engine support (sign only)
[ available ]
Also I can use pkcs11-* applications that was built with BIND to manage
SoftHSM storage, but applications: dnssec-keyfromlabel, dnssec-signzone,
dnssec-keygen and named fail to run. Error is:
initializing DST: no engine
Does anyone have any ideas about the case?
Thanks
P.S. Some additional info:
> uname -a
FreeBSD dnssec-master1.ripn.net 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov
21 15:02:08 UTC 2009 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
amd64
--
Kovalenko Dmitry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101020/c6711392/attachment.html>
More information about the bind-users
mailing list