[Opendnssec-user] getting dnssec keytag from CKAID label when using softhsm?
paul at nohats.ca
Mon Dec 10 23:42:16 CET 2012
On Tue, 11 Dec 2012, Sebastian Castro wrote:
>> When using an HSM, I can run dnssec-fromlabel with the CKAID to get the
>> keytag/algo of the key. How can I do the same with softhsm? Is that only
>> possible recompiling bind with softhsm as PKCS#11 provider?
> The softhsm is only a key container which doesn't know anything about
> what are you doing with the keys.
> The association key <-> zone is done in the KASP db, so when using
> OpenDNSSEC you can get the details you look for using ods-ksmutil
Unfortunately, even ods-ksmutil key list --verbose does not list this
>> From memory, BIND keeps the association key <-> zone in a text file,
> where the CKA_ID is stored. I don't have a BIND signer at hand to check.
Well, the dnssec-keyfromlabel takes it out of the HSM, assuming you
create the keys so you also store the public RSA part into the HSM,
by removing "<SkipPublicKey/>" from conf.xml before creating the keys
More information about the Opendnssec-user