playing with 9.10.3/Keyper+ and ECDSA
Vincent Levigneron
vincent.levigneron at nic.fr
Mon May 9 11:44:28 UTC 2016
Hi,
I was wondering if some of you have already did some experiments with
9.10.3 and the AEP Keyper+ (openssl-1.01l patched) in order to create
ECDSA keys and sign zone. I was surprised I was able without issues to
create key objectss in the HSM with command :
> pkcs11-keygen -a ECDSAP256SHA256 -p **** -l TESTECC1
but when I try to create keys from this key objects, I have an
unexpected message:
> dnssec-keyfromlabel -a ECDSAP256SHA256 -l TESTECC1 -E pkcs11 test
dnssec-keyfromlabel: fatal: failed to get key test/ECDSAP256SHA256: algorithm is unsupported
It is strange it is supported by pkcs11-keygen but not by
dnssec-keyfromlabel. This is the only algorithm with that kind of
behaviour.
This is my first test with ECDSA, am I missing something ??? If I don't
use the Keyper+, I can create ECDSA keys and sign zones with that keys,
strange isn't it ?
Regards.
Vincent.
--
Vincent Levigneron A.F.N.I.C. Vincent.Levigneron at nic.fr
More information about the bind-users
mailing list