question about DNSSEC with PKCS11
Matthijs Mekking
matthijs at isc.org
Tue Aug 8 14:30:51 UTC 2023
Hi,
The KB article was written before dnssec-policy. Unfortunately, OpenSSL
with engine_pkcs11 does not support creating keys. So if you want to use
an HSM with dnssec-policy, you will need to create the keys yourself and
you can then import them in the key-directory with dnssec-keyfromlabel.
Then, when it is time to create a new key according to BIND, it will
select a pregenerated key instead.
Sorry for this inconvenience. We are working on making dnssec-policy
work with HSMs including key generation through the OpenSSL 3.0 provider
API.
Best regards,
Matthijs
On 8/5/23 04:50, sun guonian wrote:
> hi,
>
> I have tried the DNSSEC sign testing according the document,
> https://kb.isc.org/docs/bind-9-pkcs11
> <https://kb.isc.org/docs/bind-9-pkcs11>
> (and section 5.5 of the Bv9ARM of version 9.18.16)
>
> I have two questions about it,
>
> 1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
> insecure to convert the key(s) from HSM to .private file with
> dnssec-keyfromlabel ?
>
> 2. when I configure KASP policy, I notice that bind will generate new key(s)
> each time it need, but there is no new object in softhsm generated.
> Could bind
> of this version roll the objects in HSM/softhsm ?
>
> Thanks in advanced.
>
> Best Regards,
> SUN Guonian
>
> And my environment is,
> bind-9.18.16
> opensc-0.42
> softhsm-2.6.1
> openssl-1.1.1k from system
> RockyLinux 8
>
More information about the bind-users
mailing list