Using a HSM card to sign zone

Emil Natan shlyoko at gmail.com
Sun Feb 16 15:06:59 UTC 2014


Hi,

I have tested Safenet's Luna SA (the network appliance and not the card) a
year ago. It did not work using the openssl patch provided with BIND, but
at the end with some assistance from the Safenet's engineers and a
proprietary engine provided by them we made it work. I presume it'll work
also with the PCI card because the appliance is generally the same card in
a box. I had very similar issues, the pkcs11-* commands worked and the
dnssec-* ones did not.
I had no issues with the HSMs from Utimaco, AEP and ARX.

ena


On Fri, Feb 14, 2014 at 9:43 PM, Sergio Ramirez <sramirez at seciu.edu.uy>wrote:

> Hi,
>
> We want to sign zones with bind using an HSM Luna PCI Safenet card.
>
> The command 'dnssec- keyfromlabel' fails:
>
> # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l
> KSK1-testdnssec -f KSK testdnssec.
> dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
> dnssec-keyfromlabel: info: error:2609707D:engine
> routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
> dnssec-keyfromlabel: info: error:2609607D:engine
> routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
> dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found
>
> It was installed on Debian 4 Linux 2.6.18-6-686 server with:
>   - openssl-1.0.0e
>   - patch provided by vendor of the HSM
> (openssl-lunaca3-patch-1.0.0e.tar.gz)
>   - bind 9.9.2 -P1
>
> ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
> with bind, are working OK. **
>
> The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.
>
> We would like to know if anyone are using this HSM or similar.
>
> Furthermore we would like to get some guidance to solve this problem.
>
> Thanks in advance.
> --
> Sergio Ramírez
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140216/ff69ed0f/attachment.html>


More information about the bind-users mailing list