Hi all, I'm trying to implement DNSSEC using BIND and SoftHSM. I'm using the pkcs11-* and dnssec-* tools to manage the keys in the HSM and sign the zones. When I store both KSK and ZSK under single slot there is no problem to create local key files with dnssec-keyfromlabel and sign the zone. What I want to achieve is to store the KSK and the ZSK under separate slots protected with different PINs (there are 3 slots currently, 0,1 and 2, all three with different PINs), save the PIN for the KSK slot in a local file for automatic use and the PIN for the KSK slot I want to enter manually when needed. The pkcs11-keygen command accepts the "-s" parameter so I'm able to create the ZSK under slot 1 and the KSK under slot 2. When I try to create the local key files with dnssec-keyfromlabel command it fails to find the key objects in the HSM, it's not possible to specify slot option, so it searches for the keys only in slot 0 and of course does not find them. Is there a way to achieve that with BIND?
Thanks, Emil
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
