[Opendnssec-user] getting dnssec keytag from CKAID label when using softhsm?

Paul Wouters paul at nohats.ca
Mon Dec 10 23:42:16 CET 2012

On Tue, 11 Dec 2012, Sebastian Castro wrote:

>> When using an HSM, I can run dnssec-fromlabel with the CKAID to get the
>> keytag/algo of the key. How can I do the same with softhsm? Is that only
>> possible recompiling bind with softhsm as PKCS#11 provider?
> The softhsm is only a key container which doesn't know anything about
> what are you doing with the keys.

I understand

> The association key <-> zone is done in the KASP db, so when using
> OpenDNSSEC you can get the details you look for using ods-ksmutil

Unfortunately, even ods-ksmutil key list --verbose does not list this

>> From memory, BIND keeps the association key <-> zone in a text file,
> where the CKA_ID is stored. I don't have a BIND signer at hand to check.

Well, the dnssec-keyfromlabel takes it out of the HSM, assuming you
create the keys so you also store the public RSA part into the HSM,
by removing "<SkipPublicKey/>" from conf.xml before creating the keys
using ods.


More information about the Opendnssec-user mailing list