On 6 mar 2015, at 09:29, Dr Eberhard Lisse <[email protected]> wrote: > Richard Lamb has this ceremony CD which is a Centos, and there are > the Bind 9.8 sources, with a patch, that I have not looked at.
I believe those patches were prepared before BIND had native PKCS#11 support. > Of course OpenDNSSEC can also generate the keys into the cards, but > unless I ma missing something, this makes the preparation and > conduct of an auditable ceremony difficult (or impossible?) You can turn on manual key generation in OpenDNSSEC for this purpose. Or you can generate the keys manually with ods-hsmutil and then import them later. > I would like to be able to continue to manually sign lisse.NA with > dnssec-signzone on the Mac. Not only for the amusement value, but > also to gain experience with the tools. > > Bind 9.10.1 from homebrew does not read the card. I am unable to > compile it to do so. If you can get me the configure arguments to > do that I am going to keep you in beer for an evening until you keel > over :-)-O BIND from homebrew is most likely not compiled with native PKCS#11 support. You need to install OpenSC (see https://github.com/OpenSC/OpenSC/wiki) and then build BIND yourself. Good luck! jakob
