PKCS#11 stuff: "sign-only" vs "crypto-accelerator"

[Evan Hunt]

> 5. I'd really like to get away from the ugly and confusing K-files. As
> the keys are in the HSM and dnssec-signzone is talking to the HSM it
> would seem that we're soo close but still need to do the extraction of
> the public key to a K-file.

The public key needs to be somewhere--in the DNSKEY RRset for your zone,
if nothing else--and a reference to the private key needs to be somewhere
that named can find it, too, or else how does named know which HSM key
to use?

The named code itself doesn't really understand HSMs; it just knows how to
load a key file.  Loading the key file produces an object in memory, which
is either a blob of key data or a reference to an HSM key.  Either way,
named passes that object off to openssl, which figures out what to do with
it.

> My guess is that the only real need left is the meta data in the new
> K-file format. If so, I think you would do the world a major service if
> you moved the meta data somewhere else (a single file for meta data about
> all keys?) before letting all the 9.7-changes loose in a release version.

In fact, I do wish I had done this.  It's too late for 9.7.0 now, but we
may change the metadata storage in a future release.  I had originally
planned to use a third K* file, probably called K*.meta, and leave the
format of the .private file alone.  I talked myself out of it, and now
I've come to regret that.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.