On Mon, 6 Dec 2021, 12:04 Pp Xyz, <[email protected]> wrote: > I would say it is working and has been working since around June of 2020. > > > On Mon, 6 Dec 2021, 09:48 Stuart Henderson, <[email protected]> wrote: > >> >> Are you certain that this worked properly >> If you're sure it worked, can you give me some commamds to type to >> reproduce it? I tried with the docs om the wiki but they have never been >> updated properly.fpr 2.0 and trying to figure it out based on outdated >> docs that arem't very good to start with, plus "what changed since >> 1.4" is not my idea of fun. >> > A small correction although it might be useful:
Original setup was done on 2020/03/12 with amd64 openbsd updated to current and packages from snapshots. That means opendnssec was version 2.1.6 and softhsm2 was 2.6.0 already with botan2. Most Keys were generated then, even those to be used in future keys changes. I believe the ods-hsmutil showed correctly the test and option to generate EDDSA ed25519 keys at the time. At this moment, servers with opendnssec package version from 7.0 stable when performing ods-hsmutil test show: [...] Signing with (ECDSA/SHA384) with key... Generating ED25519 key... OK Extracting key identifier... OK, [Key identifier] Signing with key... OK Deleting key... OK Generating ED448 key... Failed (Notice where the generation of ed25519 key appears) This output is from test but options to generate key only show generate <repository> rsa | dsa | gost | ecdsa [keysize] On servers with latest package of opendnssec from snapshots output from ods-hsmutil test does not show the generation of ED25519 but instead: [...] Signing with (ECDSA/SHA384) with key... Generating 1024 bytes of random data... OK Extracting key identifier... OK Generating 32-bit random data... [...] Generating 64-bit random data... [...] Another detail, trying to reinstall the opendnssec package with the version from stable 7.0 on a system running current requires that older libraries are available there, in this case libcrypto.so.47.0.
