Native pkcs#11 and auto-dnssec feature
catalinl at rotld.ro
Wed Apr 8 13:52:26 UTC 2015
I'm trying to configure bind 9.10.2 to work with native pkcs#11 linked
to nShield Connect HSM.
When accesing keys in HSM a PIN code is required as keys are protected
by a softcard.
dnssec-keyfromlabel command accepts reading PIN from file (using
"pin-source" keyword),but others
like dnssec-signzone don't have something similar and the PIN has to be
My question is about auto-dnssec feature that maintain zone by
internally signing RRs.
How this feature will work without a PIN since BIND needs access to
private key when it needs
to resign automatically and i did't find a way to provide the PIN
throught configuration files ?
More information about the bind-users