Jacob,
The plan is to lower the barrier of entry to hardware signing. And I want to do this with the packet managers (on Ubuntu 12.04 LTS, and of course the others). I also want to do it in a a way that remains open to upgrade (to auditable standards). OpenDNSSEC strikes me as part of the solution, even if it has perhaps not been getting the traction it deserves :-)-O Richard Lamb has this ceremony CD which is a Centos, and there are the Bind 9.8 sources, with a patch, that I have not looked at. Diego and I have sexed this (card generation) up a little for the Mac :-)-O and I am thinking about my take on this for an auditable ceremony :-)-O We are looking at OpenDNSSEC, and I have yesterday figured out what TokenLabel means :-)-O. Of course OpenDNSSEC can also generate the keys into the cards, but unless I ma missing something, this makes the preparation and conduct of an auditable ceremony difficult (or impossible?) OpenDNSSEC is overkill for lisse.NA, but once I figure it out, I can then set this up for the .NA zone. That is important, because CoCCATools already works with OpendDNSSEC so what we then can do for those TLDs is to replace the softHSM with a very cheap hardware solution and offer a simple to use key generation script. I would like to be able to continue to manually sign lisse.NA with dnssec-signzone on the Mac. Not only for the amusement value, but also to gain experience with the tools. Bind 9.10.1 from homebrew does not read the card. I am unable to compile it to do so. If you can get me the configure arguments to do that I am going to keep you in beer for an evening until you keel over :-)-O greetings, el On 2015-03-06 09:19, Jakob Schlyter wrote: > On 4 mar 2015, at 19:00, Dr Eberhard W Lisse <[email protected]> wrote: > >> We can sign the cards on Centos and OS X and sign zones with a >> modified Bind9 on Centos. > > Out of curiosity, why would you need a "modified" bind9? I would > expect a standard bind9 to work now since native PKCS#11 was > added. > > FWIW, OpenDNSSEC has been able to sign zones using any > OpenSC-supported smart card for many years now. > > > jakob >
