running named built with --enable-native-pkcs11 without HSM provider library
Evan Hunt
each at isc.org
Wed Aug 6 17:31:10 UTC 2014
On Wed, Aug 06, 2014 at 05:14:53PM +0100, Tony Finch wrote:
> > Right now it is not possible, and when named is built with
> > --enable-native-pkcs11 it can not run without HSM and some PKCS#11
> > provider library.
>
> Would using SoftHSM solve your problem?
>
> http://www.opendnssec.org/softhsm/
> http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9ARM.ch04.html#id2666009
SoftHSM version 1 doesn't supply enough of the PKCS#11 API to meet all
of BIND's crypto needs, but SoftHSMv2 works beautifully. Last I checked,
version 2 hadn't been formally released yet, but it can be cloned from
github: https://github.com/opendnssec/SoftHSMv2.
The way things are currently set up, BIND can only drive one PKCS#11
provider library at a time. You build with a default provider, and it
can be overridden via a command line option, but that's a little
cumbersome.
I've been thinking about using a "shim" provider that would pass along
PKCS#11 primitives to a "back-end" according to context, so you could
switch seamlessly between providers -- that might be useful, for example,
if you wanted to use a proper HSM for your KSK, but SoftHSM for the ZSK
because it's faster. It might also enable us to drive an HSM that didn't
have a complete PKCS#11 implementation, using SoftHSM to fill in the
functional gaps. Haven't done any work on it, though.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list