native pkcs#11 and dynamic signing issues
Arun N S
arun at arunns.com
Sun Jan 24 08:32:36 UTC 2016
The issue is fixed.
I was using the default named daemon, which is not aware of the native
pkcs#11 compiled in. Started named-pkcs11 fixed a couple of permission
issues, and it worked.
# rndc sign example.com
received control channel command 'sign example.com'
zone sa/IN (signed): reconfiguring zone keys
# zone example.com/IN (signed): next key event: 24-Jan-2016 12:29:40.234
zone example.com/IN (signed): sending notifies (serial 2016012006)
--
arun
On Thu, Jan 21, 2016 at 1:08 PM, Arun N S <arun at arunns.com> wrote:
> Thanks for the response.
>
> My understanding is that, when you use native pkcs#11 it is not dependent
> on the openssl engine. But yes the bind is chrooted. I tried to run it
> without chroot and still got the same issue. The private key reference file
> created by dnsseckey-fromlabel has the Engine defined as "Engine:
> cGtjczExAA=="
>
> --
> arun
>
>
> On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch <dot at dotat.at> wrote:
>
>> Arun N S <arun at arunns.com> wrote:
>> >
>> > but with dynamic signing the logs were showing
>> > "dns_dnssec_findmatchingkeys: error reading key file
>> > Kexample.com.+008+01234.private: no engine"
>> >
>> > any idea?
>>
>> Wild guess (I know nothing about PKCS#11): are you running chrooted, and
>> if so is the relevant OpenSSL engine plugin in usr/lib/engines in the
>> chroot?
>>
>> Tony.
>> --
>> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
>> Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale
>> 8
>> later. Moderate or rough, occasionally slight at first. Showers, then
>> rain.
>> Good, occasionally moderate.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160124/4c15235e/attachment.html>
More information about the bind-users
mailing list