The issue is fixed.
I was using the default named daemon, which is not aware of the native
pkcs#11 compiled in. Started named-pkcs11 fixed a couple of permission
issues, and it worked.
# rndc sign example.com
received control channel command 'sign example.com'
zone sa/IN (signed): reconfiguring z
Thanks for the response.
My understanding is that, when you use native pkcs#11 it is not dependent
on the openssl engine. But yes the bind is chrooted. I tried to run it
without chroot and still got the same issue. The private key reference file
created by dnsseckey-fromlabel has the Engine define
Arun N S wrote:
>
> but with dynamic signing the logs were showing
> "dns_dnssec_findmatchingkeys: error reading key file
> Kexample.com.+008+01234.private: no engine"
>
> any idea?
Wild guess (I know nothing about PKCS#11): are you running chrooted, and
if so is the relevant OpenSSL engine plug
Running bind 9.10.3-7.P2, with softhsm-2.0.0rc1-3 on Fedora 23.
I was able to sign the zones with dnssec-signzone-pkcs11 command line,
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand
4 matches
Mail list logo
