Using a HSM card to sign zone
Sergio Ramirez
sramirez at seciu.edu.uy
Fri Feb 14 19:43:48 UTC 2014
Hi,
We want to sign zones with bind using an HSM Luna PCI Safenet card.
The command 'dnssec- keyfromlabel' fails:
# /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec.
dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found
It was installed on Debian 4 Linux 2.6.18-6-686 server with:
- openssl-1.0.0e
- patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz)
- bind 9.9.2 -P1
** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
with bind, are working OK. **
The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.
We would like to know if anyone are using this HSM or similar.
Furthermore we would like to get some guidance to solve this problem.
Thanks in advance.
--
Sergio Ramírez
More information about the bind-users
mailing list