Hi Mark,
thanks a lot for you help..
I added the keystore to my config.. but I_m getting another error now..
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
# KSK
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
# ZSK
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
keystore: a1b1
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain: example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com.
import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Failed to initialize KASP (not implemented)
I tried with the -d parameter as well.. but i got:
keymgr -d /var/lib/knot/keys/ example.com. import-pkcs11 a1b1
algorithm=RSASHA256 size=2048 ksk=no created=20181126090000
publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
I read from former knot versions about the "keymgr init" command, but it
is not implemented anymore..
Do you have another idea whats going wrong.. ?
Thanks a lot for your great help :)
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petra...@denic.de
http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E 8841
549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
Von: "Mark Karpilovskij" <mark.karpilovs...@nic.cz>
An: "Christian Petrasch" <petra...@denic.de>
Kopie: knot-dns-users@lists.nic.cz
Datum: 26.11.2018 11:56
Betreff: Re: [knot-dns-users] Problem to import key material of
softhsm into knot
Hi Christian,
I have checked out your Knot configuration, and I suspect that the issue
might be a missing keystore option in the policy section of your
configuration. Try specifying the ID of the PKCS11 keystore in the policy
section as follows:
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
keystore: a1a1
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
Let us know if this helps.
Best regards,
Mark
On 26. 11. 18 9:49, Christian Petrasch wrote:
Hi @ all,
we are testing with softhsm 2.5 and KNOT 2.7.4...
I try to import the keys inside softhsm into keymgr to sign with this a
example zone.
The keymaterial is shown via pkcs11-tool:
[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module
/usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
label: testKSK_1
ID: a1a1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: testZSK_1
ID: a1b1
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: testZSK_1
ID: a1b1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: testKSK_1
ID: a1a1
Usage: encrypt, verify, wrap
######
The KNOT config is :
[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain: example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###################
And if I try to import the key into keymgr i run the command:
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com.
import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
###
I don't know how I can fix this.. maybe anybody can help me ? The
documentation of KNOT is very good.. but at this point it is a little bit
insufficient. Does anybody has examples for this ?
Thanks a lot in advance for the help..
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petra...@denic.de
http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E 8841
549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
