How to keep the KSK private key offline with BIND dynamic signing?

2016-01-24 Thread Arun N S
Tried to include DNSKEY, RRSIG for the KSK manually in the unsigned zone file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key). The dnssec-signzone succeeded, even though it was complaining about the path for KSK. # dnssec-signzone-pkcs11 example.com dnssec-signzone: warning:

Re: native pkcs#11 and dynamic signing issues

2016-01-24 Thread Arun N S
onfiguring zone keys # zone example.com/IN (signed): next key event: 24-Jan-2016 12:29:40.234 zone example.com/IN (signed): sending notifies (serial 2016012006) -- arun On Thu, Jan 21, 2016 at 1:08 PM, Arun N S wrote: > Thanks for the response. > > My understanding is that, when you us

Re: native pkcs#11 and dynamic signing issues

2016-01-21 Thread Arun N S
defined as "Engine: cGtjczExAA==" -- arun On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch wrote: > Arun N S wrote: > > > > but with dynamic signing the logs were showing > > "dns_dnssec_findmatchingkeys: error reading key file > > Kexample.com.+008+01234.priv

native pkcs#11 and dynamic signing issues

2016-01-21 Thread Arun N S
Running bind 9.10.3-7.P2, with softhsm-2.0.0rc1-3 on Fedora 23. I was able to sign the zones with dnssec-signzone-pkcs11 command line, # dnssec-signzone-pkcs11 example.com Verifying the zone using the following algorithms: RSASHA2. Zone fully signed: Algorithm: RSASHA2: KSKs: 1 active, 0 stand