Unable to generate DNSSEC keys stored in HSM

Catalin Leanca catalinl at rotld.ro
Thu Aug 6 08:10:06 UTC 2015


Hello,

I have BIND 9.10 compiled with native PKCS#11 support and Thales nShield 
Connect HSM.
The problem is with dnssec-keyfromlabel that is unable to generate key 
pair from HSM.
First, the keys were generated in HSM using OpenDNSSEC.

The keys are correctly listed by following command:
$ sudo /usr/local/bind9.10.2/sbin/pkcs11-list -s 761406613
slot 761406613
Enter Pin:
object[0]: handle 1122 class 3 label[32] 
'9af889382e25222b32eb59f67c95cb53' id[16] 0x9af889382e25222b...
object[1]: handle 1123 class 3 label[32] 
'1095a767cb4e3ac8f5cdcb8d4a108e34' id[16] 0x1095a767cb4e3ac8...

When trying to execute the following command i get the error:
$ sudo /usr/local/bind9.10.2/sbin/dnssec-keyfromlabel -l 
"pkcs11:object=9af889382e25222b32eb59f67c95cb53;pin-source=/etc/pass" -a 
8 -P now -A now example.com <http://example.com>
dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256 
<http://example.com/RSASHA256>: not found

Any ideas on how to solve this ?


Regards,

Catalin L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150806/c933c0ae/attachment.html>


More information about the bind-users mailing list