question about DNSSEC with PKCS11
Jan-Piet Mens
list at mens.de
Tue Aug 15 10:57:12 UTC 2023
>1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
>insecure to convert the key(s) from HSM to .private file with
>dnssec-keyfromlabel ?
keys are not actually 'converted' with this utility; instead the .private file
links to the corresponding private (and typically unexportable) key on the HSM.
(If you look inside the .private key you'll see a "Label:" which contains the
base64-encoded "pointer" to the key on the HSM.
In other words, use of dnssec-keyfromlabel(1) is not a security issue per se.
-JP
More information about the bind-users
mailing list