[Opendnssec-user] getting dnssec keytag from CKAID label when using softhsm?

Sebastian Castro sebastian at nzrs.net.nz
Mon Dec 10 23:11:04 CET 2012

On 11/12/12 08:58, Paul Wouters wrote:
> Hi,

Hi Paul,

> When using an HSM, I can run dnssec-fromlabel with the CKAID to get the
> keytag/algo of the key. How can I do the same with softhsm? Is that only
> possible recompiling bind with softhsm as PKCS#11 provider?

The softhsm is only a key container which doesn't know anything about
what are you doing with the keys.

> Perhaps the ods suite can add a small utility for this? Or even better,
> store this in the signconf XML?

The association key <-> zone is done in the KASP db, so when using
OpenDNSSEC you can get the details you look for using ods-ksmutil

>From memory, BIND keeps the association key <-> zone in a text file,
where the CKA_ID is stored. I don't have a BIND signer at hand to check.

I hope it helps,

> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list