question about DNSSEC with PKCS11
sun guonian
sunguonian at gmail.com
Sat Aug 5 02:50:44 UTC 2023
hi,
I have tried the DNSSEC sign testing according the document,
https://kb.isc.org/docs/bind-9-pkcs11
(and section 5.5 of the Bv9ARM of version 9.18.16)
I have two questions about it,
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with
dnssec-keyfromlabel ?
2. when I configure KASP policy, I notice that bind will generate new key(s)
each time it need, but there is no new object in softhsm generated. Could
bind
of this version roll the objects in HSM/softhsm ?
Thanks in advanced.
Best Regards,
SUN Guonian
And my environment is,
bind-9.18.16
opensc-0.42
softhsm-2.6.1
openssl-1.1.1k from system
RockyLinux 8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230805/7311ae75/attachment.htm>
More information about the bind-users
mailing list