dnssec-keygen,bind-native-pkcs11,removing key/key-directory
sibu
sibxol at btconnect.com
Sun Oct 12 09:41:02 UTC 2014
Greetings
My computer has these:-
--os 64 bit blfs linux, bind-9.10.1, softhsm2(beta) (i.e. I am playing with
bind-9.10.1 and the new native-pkcs11 interface and softhsm2(beta).
For generating keys for dnssec two utilities -A- dnssec-keygen or -B-
pkcs11-keygen can be used.
-A- gives more functionality but then the keys have to be transformed using
(i) softhsm2-keyconv (which transfrom to pkcs8 (eg PEM format) then (ii)
softhsm2-util to transfer to the HSM
-B- also gives generation of the key this time directly on the HSM ).
I want to have a go with -A- for no other reason than that it gives more
flexibility for key-rollovers. Running -A- requires specifying
a key directory where the key is generated. I would like to know from the
bind experts
a) if this directory information is encoded in the generated key (i.e. the
KSK in this case ) AND
b) if it is safe to remove the key and key directory after softhsm2-keyconv
has been run and the transformed key successfully transferred to the HSM.
Thanks in advance
yours sincerely
sbuXolo
More information about the bind-users
mailing list