Hello, I am trying to sign a zone(domain.nx) using Bind-9.7.3 with PCKS11/OpenSC, I am able to generate key on smartcard using (pkcs11-keygen) and export a meta-description info with dnssec-keyfromlabel, however dnssec-signzone seem to have problem finding a private key.
#./dnssec-signzone -E pkcs11 -N unixtime -r /dev/urandom -v 5 -o domain.nx -a -A -H 2 -3 12345678 -t -k Kdomain.nx.+008+61097 domain.nx Kdomain.nx.+008+61096 dnssec-signzone: fatal: cannot sign zone with non-private dnskey Kdomain.nx.+008+61096 --- This is how I exported key information from smarcard, slot 1 : keyID # ./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a RSASHA256 -f KSK domain.nx Kdomain.nx.+008+61097 #./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a RSASHA256 domain.nx Kdomain.nx.+008+61096 #pkcs15-tool -D Private RSA Key [test] Object Flags : [0x3], private, modifiable Usage : [0xC], sign, signRecover Access Flags : [0x0] ModLength : 1024 Key ref : 1 Native : yes Path : 3f005015 Auth ID : 01 ID : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c Public RSA Key [test] Object Flags : [0x2], modifiable Usage : [0xC0], verify, verifyRecover Access Flags : [0x0] ModLength : 1024 Key ref : 0 Native : no Path : 3f0050153000 ID : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c Base64 encoded Label seem to match slot:keyID of the key on smartcard - # more Kdomain.nx.+008+61096.private Private-key-format: v1.3 Algorithm: 8 (RSASHA256) Modulus: rQTT+TTT+UZ5bHDgSXD9NYC7uuVm1VY8S1ssDgWnoM72xD1SHaKDcaF3YtDZ7FyvNGPwUC4nxIzCwJvhNEKbTqFvhTl1bovzMPdSZ/BfcQjYDJpDe8aF94woIIo q5ryDPGx9ymo6qQ9hhOzN0IWMbUp9q0JgTC8QnJ9Vc+Rlsf0= PublicExponent: AQAB Engine: cGtjczExAA== Label: MToyZmJlM2M1MGYwYjdmZDc2Zjg2YjllZmU2YTZiYjkzMzU0N2NlNThjAA== Created: 20110322140421 Publish: 20110322140421 Activate: 20110322140421 #more Kdomain.nx.+008+61096.key ; This is a zone-signing key, keyid 61096, for domain.nx. ; Created: 20110322140421 (Tue Mar 22 16:04:21 2011) ; Publish: 20110322140421 (Tue Mar 22 16:04:21 2011) ; Activate: 20110322140421 (Tue Mar 22 16:04:21 2011) domain.nx. IN DNSKEY 256 3 8 AwEAAa0E0/k00/lGeWxw4Elw/TWAu7rlZtVWPEtbLA4Fp6DO9sQ9Uh2i g3Ghd2LQ2excrzRj8FAuJ8SMwsCb4TRCm06hb4U5dW6L8zD3UmfwX3EI 2AyaQ3vGhfeMKCCKKua8gzxsfcpqOqkPYYTszdCFjG1KfatCYEwvEJyf VXPkZbH9 Has anyone else had a similar problem with the signing tool? Thanks, Ivo _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users