dnssec keys and multiple slots

[Emil Natan]

Hi all,

I'm trying to implement DNSSEC using BIND and SoftHSM. I'm using the
pkcs11-* and dnssec-* tools to manage the keys in the HSM and sign the
zones. When I store both KSK and ZSK under single slot there is no problem
to create local key files with dnssec-keyfromlabel and sign the zone. What
I want to achieve is to store the KSK and the ZSK under separate slots
protected with different PINs (there are 3 slots currently, 0,1 and 2, all
three with different PINs), save the PIN for the KSK slot in a local file
for automatic use and the PIN for the KSK slot I want to enter manually
when needed. The pkcs11-keygen command accepts the "-s" parameter so I'm
able to create the ZSK under slot 1 and the KSK under slot 2. When I try to
create the local key files with dnssec-keyfromlabel command it fails to
find the key objects in the HSM, it's not possible to specify slot option,
so it searches for the keys only in slot 0 and of course does not find
them.
Is there a way to achieve that with BIND?

Thanks,
Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130205/00a25cc3/attachment.html>