Hi Jakob, the native PKCS11 in BIND 9.10 is not working with these smart cards (opensc), apparently because opensc is not a full implementation of PKCS#11 In fact, in BIND documentation they mention that will work only with Thales nShield HSM and SoftHSMv2 http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch04.html <http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch04.html>
The other way, is using openssl libraries and that is the reason why use an custom dnssec-signzone (Richard Lamb’s work), that includes the code to leave aside openssl libs and in order to be sure that will work with smart cards. Then these work with opendnssec, it is interesting in this context. Luis > On Mar 6, 2015, at 6:06 AM, Jakob Schlyter <[email protected]> wrote: > > On 6 mar 2015, at 09:29, Dr Eberhard Lisse <[email protected]> wrote: > >> Richard Lamb has this ceremony CD which is a Centos, and there are >> the Bind 9.8 sources, with a patch, that I have not looked at. > > I believe those patches were prepared before BIND had native PKCS#11 support. > >> Of course OpenDNSSEC can also generate the keys into the cards, but >> unless I ma missing something, this makes the preparation and >> conduct of an auditable ceremony difficult (or impossible?) > > You can turn on manual key generation in OpenDNSSEC for this purpose. Or you > can generate the keys manually with ods-hsmutil and then import them later. > >> I would like to be able to continue to manually sign lisse.NA with >> dnssec-signzone on the Mac. Not only for the amusement value, but >> also to gain experience with the tools. >> >> Bind 9.10.1 from homebrew does not read the card. I am unable to >> compile it to do so. If you can get me the configure arguments to >> do that I am going to keep you in beer for an evening until you keel >> over :-)-O > > BIND from homebrew is most likely not compiled with native PKCS#11 support. > You need to install OpenSC (see https://github.com/OpenSC/OpenSC/wiki) and > then build BIND yourself. > > > Good luck! > > jakob >
signature.asc
Description: Message signed with OpenPGP using GPGMail
