native pkcs#11 and dynamic signing issues
Arun N S
arun at arunns.com
Thu Jan 21 09:40:40 UTC 2016
Running bind 9.10.3-7.P2, with softhsm-2.0.0rc1-3 on Fedora 23.
I was able to sign the zones with dnssec-signzone-pkcs11 command line,
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
but with dynamic signing the logs were showing
"dns_dnssec_findmatchingkeys: error reading key file
Kexample.com.+008+01234.private: no engine"
Zone configuration:
zone "example.com" IN {
type master;
file "zones/example.com";
auto-dnssec maintain;
inline-signing yes;
};
# rndc sign example.com
received control channel command 'sign example.com'
zone example.com/IN (signed): reconfiguring zone keys
dns_dnssec_findmatchingkeys: error reading key file
Kexample.com.+008+01234.private: no engine
dns_dnssec_findmatchingkeys: error reading key file
Kexample.+008+05678.private: no engine
zone example.com/IN (signed): next key event: 21-Jan-2016 13:36:59.184
any idea?
Thanks,
Arun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160121/28171c70/attachment.html>
More information about the bind-users
mailing list