Re: Native pkcs#11 and auto-dnssec feature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 4/9/15 2:58 AM, Catalin Leanca wrote: If the label contains a pin-source field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN. Which, for the most part, makes the use of a PIN at all an exercise in futility. AlanC -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJVJrlmAAoJEOW2o5eiJADbR50H/jZuHyYb7vIm69R9nXUTeOfD 7NknwCkR1tOGebOk4eB7paN3elm8vowg71ys0yU+lFquEidZYXGrGGsDwFUyN1c+ cs+ZepDVnFvLjSTbPgH8CR8Wy3fcBxQWpkjO8sdbQBU1LuvG4qzmAjcknNIyhXg0 dLbG20Ny3Jk6owEmezzWDF6/HyeZgllvmY8ztRQjzHHBXdXI2Emu12dc4TX/mp6p FEHgIpnKvnjm7bjx7j8JWj2PT0OpyFaaqmda0wYJvc5rdAH2Wi9VWgNf3CAxGFfP iqNTJorMQptRPixWalS/eQmDvj0ND5z4Wla0/mYEAu9FlibfezPwz8t8b8AJso8= =9vA8 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Native pkcs#11 and auto-dnssec feature
Problem solved. Manual helped: If the label contains a pin-source field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN. Thank you ! On 08/04/15 19:21, Catalin Leanca wrote: Hello, It helps only for dnssec-keyfromlabel tool that accepts -l parameter, but for dnssec-signzone i didn't find any reference. And the main problem is automatically internal signing with auto-dnssec. On 08/04/15 18:21, Jeremy C. Reed wrote: My question is about auto-dnssec feature that maintain zone by internally signing RRs. How this feature will work without a PIN since BIND needs access to private key when it needs to resign automatically and i did't find a way to provide the PIN throught configuration files ? Hi, Does the reference manual section about proving the PIN help? http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch04.html#id2639064 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Native pkcs#11 and auto-dnssec feature
Hello, It helps only for dnssec-keyfromlabel tool that accepts -l parameter, but for dnssec-signzone i didn't find any reference. And the main problem is automatically internal signing with auto-dnssec. On 08/04/15 18:21, Jeremy C. Reed wrote: My question is about auto-dnssec feature that maintain zone by internally signing RRs. How this feature will work without a PIN since BIND needs access to private key when it needs to resign automatically and i did't find a way to provide the PIN throught configuration files ? Hi, Does the reference manual section about proving the PIN help? http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch04.html#id2639064 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Native pkcs#11 and auto-dnssec feature
My question is about auto-dnssec feature that maintain zone by internally signing RRs. How this feature will work without a PIN since BIND needs access to private key when it needs to resign automatically and i did't find a way to provide the PIN throught configuration files ? Hi, Does the reference manual section about proving the PIN help? http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch04.html#id2639064 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Native pkcs#11 and auto-dnssec feature
Hello, I'm trying to configure bind 9.10.2 to work with native pkcs#11 linked to nShield Connect HSM. When accesing keys in HSM a PIN code is required as keys are protected by a softcard. dnssec-keyfromlabel command accepts reading PIN from file (using pin-source keyword),but others like dnssec-signzone don't have something similar and the PIN has to be entered manualy. My question is about auto-dnssec feature that maintain zone by internally signing RRs. How this feature will work without a PIN since BIND needs access to private key when it needs to resign automatically and i did't find a way to provide the PIN throught configuration files ? Best regards, Catalin LEANCA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users