Native pkcs#11 and auto-dnssec feature

Catalin Leanca catalinl at
Wed Apr 8 13:52:26 UTC 2015


I'm trying to configure bind 9.10.2 to work with native pkcs#11 linked 
to nShield Connect HSM.
When accesing keys in HSM a PIN code is required as keys are protected 
by a softcard.
dnssec-keyfromlabel command accepts reading PIN from file (using 
"pin-source" keyword),but others
like dnssec-signzone don't have something similar and the PIN has to be 
entered manualy.
My question is about auto-dnssec feature that maintain zone by 
internally signing RRs.
How this feature will work without a PIN since BIND needs access to 
private key when it needs
to resign automatically and i did't find a way to provide the PIN 
throught configuration files ?

Best regards,

Catalin LEANCA

More information about the bind-users mailing list