[Opendnssec-user] importing bind9 keys into softhsm, ods

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Dec 8 10:24:39 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> > makes me wonder how I decide what the label, id and pin should be for
> the key I import. Further down that page I see

Label is a string which describes the object. Not used by OpenDNSSEC.
ID is the id of the key that you want to create. Hexadecimal. Used by OpenDNSSEC.
PIN is the PIN code that you use to login to the token.

> >  ods-ksmutil key import --cka_id <CKA_ID> --repository <repository> -
> -zone <zone> --bits <size> --algorithm <algorithm> --keystate <state> -
> -keytype <type> --time <time>
> >
> > and I find I don't know
> >
> > (a) what a CKA_ID is

It is the hexadecimal string from the previous step.

> > (b) the difference between active and ready for the key state

Keystate active will make the key active. It is used for signing directly. If there already is an active key, then there will be two keys signing the zone. So if you only want this key to sign the zone, then do the import directly after setup and before you start the system.

Keystate ready will add the key in the ready queue. Will become active in a future rollover, if the key matches the policy.

> > This whole procedure seems like it would be usefully automated even
> if just for the case here people are using softhsm with something like
> >
> >  ./bind9-to-softhsm ./Kexample.com.+005+42952.private EXAMPLE.COM
> >
> > and have the script figure out all the heavy lifting. But I am not
> asking for a script :-) just some guidance on the questions above. Any
> clues for me?

I will update the documentation.

We could have a script, but you would still need label, ID, slot, and PIN. Label and ID could be a random string.

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSx4pZ+CjgaNTdVjaAQik8gf8DaZ5sdgXN1AHoTrr5PmvYZteX8JRCkYV
tGsSUZQ67FhmB6INZSlMrjpYTmitmnj6mDOH5JDRL/bexx2R0uHOzTK0BSnMPcTl
1Z67M8MSCBnYls0Fd/caQ3jE+qmScPShYRaeZe6nyVSaiv0Be7XIUzEpmJrMWZef
PRJr6/6PcSkc2QMGJQ0DCFsFg9oGmZ351DXmDWau7DsELsMQXjM/+VfIGIOiL2rw
pTVnJBdj8gxtfe2oJPnPW3VwVsYZKE/RgkbbxiNVxLJk0uKpK1RZcsPtLoFTg2eS
cmdo7pRhCp/Z5qKoL4L3IThXKFBYb9QtJum+3FTlbM9u13kOfp/4pA==
=iIUI
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091208/0ded5682/attachment.htm>


More information about the Opendnssec-user mailing list