running named built with --enable-native-pkcs11 without HSM provider library
Carl Byington
carl at byington.org
Thu Jul 30 18:24:36 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> That in fact is exactly what SoftHSMv2 does.
Building bind with native pkcs11 pointing to SoftHSMv2 then requires
softhsm setup and pin code generation. Bind cannot automatically
generate/use keys, in the same manner as a default non-pkcs11 build.
What I am looking for (and I think this is the same as what redhat
wants), is the ability to build a bind binary (and associated utilities)
that via some configuration changes runs with either:
1) no pin codes or other user input, keys stored on disk, possibly in
clear text files just like the current /var/named/K* files we get with
non-pkcs11 builds.
OR
2) softhsm or other real hsm provider, with the keys in internal hsm
storage.
Building bind with native pkcs11 pointing to SoftHSMv2 comes very close
to that, but as far as I can see, it still requires extra manual setup
and the use of pin codes to unlock the keys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlW6a4sACgkQL6j7milTFsGNegCfVxTtdG4zgeJcciRrSDbIQbKh
zJYAni65S4sMCVoHJwpKzX1caFPAixld
=OP6Q
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list