[Opendnssec-user] importing bind9 keys into softhsm, ods

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Dec 8 10:24:39 UTC 2009

Hash: SHA256

> > makes me wonder how I decide what the label, id and pin should be for
> the key I import. Further down that page I see

Label is a string which describes the object. Not used by OpenDNSSEC.
ID is the id of the key that you want to create. Hexadecimal. Used by OpenDNSSEC.
PIN is the PIN code that you use to login to the token.

> >  ods-ksmutil key import --cka_id <CKA_ID> --repository <repository> -
> -zone <zone> --bits <size> --algorithm <algorithm> --keystate <state> -
> -keytype <type> --time <time>
> >
> > and I find I don't know
> >
> > (a) what a CKA_ID is

It is the hexadecimal string from the previous step.

> > (b) the difference between active and ready for the key state

Keystate active will make the key active. It is used for signing directly. If there already is an active key, then there will be two keys signing the zone. So if you only want this key to sign the zone, then do the import directly after setup and before you start the system.

Keystate ready will add the key in the ready queue. Will become active in a future rollover, if the key matches the policy.

> > This whole procedure seems like it would be usefully automated even
> if just for the case here people are using softhsm with something like
> >
> >  ./bind9-to-softhsm ./Kexample.com.+005+42952.private EXAMPLE.COM
> >
> > and have the script figure out all the heavy lifting. But I am not
> asking for a script :-) just some guidance on the questions above. Any
> clues for me?

I will update the documentation.

We could have a script, but you would still need label, ID, slot, and PIN. Label and ID could be a random string.

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091208/0ded5682/attachment.htm>

More information about the Opendnssec-user mailing list