Using a HSM card to sign zone

Sergio Ramirez sramirez at seciu.edu.uy
Mon Feb 17 17:52:11 UTC 2014


Yes, 

./configure --enable-threads --with-openssl=/usr/local/ssl --with-pkcs11=/usr/lunapci/lib/libCryptoki2.so 

In /usr/local/ssl directory is the patched (vendor + bind) openssl. 

A detail: the openssl version 1.0.0e and the bind patch is for 1.0.0f

 
--
Sergio R.


----- Mensaje original -----
De: "Billy Glynn" <billy.glynn at iedr.ie>
Para: bind-users at lists.isc.org
Enviados: Lunes, 17 de Febrero 2014 9:32:44
Asunto: Re: Using a HSM card to sign zone

Did you configure bind with the patched version of openssl ?

On 14 Feb 2014, at 19:43, Sergio Ramirez <sramirez at seciu.edu.uy> wrote:

> Hi, 
> 
> We want to sign zones with bind using an HSM Luna PCI Safenet card.
> 
> The command 'dnssec- keyfromlabel' fails:
> 
> # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec.
> dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
> dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
> dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
> dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found
> 
> It was installed on Debian 4 Linux 2.6.18-6-686 server with:
>  - openssl-1.0.0e
>  - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz)
>  - bind 9.9.2 -P1
> 
> ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
> with bind, are working OK. ** 
> 
> The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.
> 
> We would like to know if anyone are using this HSM or similar.
> 
> Furthermore we would like to get some guidance to solve this problem.
> 
> Thanks in advance.
> --
> Sergio Ramírez
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list