Hi,
The KB article was written before dnssec-policy. Unfortunately, OpenSSL
with engine_pkcs11 does not support creating keys. So if you want to use
an HSM with dnssec-policy, you will need to create the keys yourself and
you can then import them in the key-directory with dnssec-keyfromlabel.
Then, when it is time to create a new key according to BIND, it will
select a pregenerated key instead.
Sorry for this inconvenience. We are working on making dnssec-policy
work with HSMs including key generation through the OpenSSL 3.0 provider
API.
Best regards,
Matthijs
On 8/5/23 04:50, sun guonian wrote:
hi,
I have tried the DNSSEC sign testing according the document,
https://kb.isc.org/docs/bind-9-pkcs11
<https://kb.isc.org/docs/bind-9-pkcs11>
(and section 5.5 of the Bv9ARM of version 9.18.16)
I have two questions about it,
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with
dnssec-keyfromlabel ?
2. when I configure KASP policy, I notice that bind will generate new key(s)
each time it need, but there is no new object in softhsm generated.
Could bind
of this version roll the objects in HSM/softhsm ?
Thanks in advanced.
Best Regards,
SUN Guonian
And my environment is,
bind-9.18.16
opensc-0.42
softhsm-2.6.1
openssl-1.1.1k from system
RockyLinux 8
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users