I've managed to use a Cryptech (last hardware with last software but no FPGA ECC as jumpers JP7 and JP8 (*) were not installed) with bind 9.
It worked well (pass pkcs11 system test) with a few bind bug fixes: - to disable MD5 broke a RSA check - pkcs11 system test needed to be updated - as ECC was not accelerated by the FPGA the nsupdate over UDP timed out The last point is for general interest: as some operations can be slower than expected please enforce the use of TCP for nsupdate. Some questions/comments: (*) I think the JP8 is the JP7 next jumper and there is a JP9 after on the same bank? - if (when?) HMAC mechanisms will be available in the PKCS#11 code, don't put too big ulMinKeySize's: SoftHSMv2 moved from 0 to some values and now some bind 9 system tests fail (IMHO more because they used very small sizes than because SoftHSMv2 is too strict but I didn't look at these yet) - with DNSSEC and inline signings or dynamic updates the DNS server must be able to sign so the PIN must be available somewhere, usually in a file. So it is not insteresting for this particular usage to have a strong (and slow!) password system. - is there some news about Ed25519 support? I've just finished some experiments with it (adding Ed25519 support with OpenSSL and PKCS#11 crypto backends) so I am ready to play and/or help... - same question about Ed448? BTW Cryptech can become the first HSM supporting Ed448! Thanks francis.dup...@fdupont.fr _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
