native pkcs#11 and dynamic signing issues

Arun N S arun at
Thu Jan 21 10:08:32 UTC 2016

Thanks for the response.

My understanding is that, when you use native pkcs#11 it is not dependent
on the openssl engine. But yes the bind is chrooted. I tried to run it
without chroot and still got the same issue. The private key reference file
created by dnsseckey-fromlabel has the Engine defined as "Engine:


On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch <dot at> wrote:

> Arun N S <arun at> wrote:
> >
> > but with dynamic signing the logs were showing
> >  "dns_dnssec_findmatchingkeys: error reading key file
> > no engine"
> >
> > any idea?
> Wild guess (I know nothing about PKCS#11): are you running chrooted, and
> if so is the relevant OpenSSL engine plugin in usr/lib/engines in the
> chroot?
> Tony.
> --
> f.anthony.n.finch  <dot at>
> Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale 8
> later. Moderate or rough, occasionally slight at first. Showers, then rain.
> Good, occasionally moderate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list