[Opendnssec-user] getting dnssec keytag from CKAID label when using softhsm?

Casper Gielen c.gielen at uvt.nl
Tue Dec 11 11:44:24 CET 2012

Op 10-12-12 20:58, Paul Wouters schreef:
> Hi,
> When using an HSM, I can run dnssec-fromlabel with the CKAID to get the
> keytag/algo of the key. How can I do the same with softhsm? Is that only
> possible recompiling bind with softhsm as PKCS#11 provider?

You'll have to get the algorith from the Kasp. I don't think there is a
utillity for that, but you could get it directly from the database. If
you use MySQL the following should do the trick. (Obviously you should
replace YOUR_ZONE_HERE with the actual name of the zone).

echo "SELECT name,HSMkey_id,algorithm,size   FROM
keypairs,dnsseckeys,zones WHERE keypairs.id=dnsseckeys.keypair_id AND
dnsseckeys.zone_id=zones.id AND keytype=257 AND
zones.name='YOUR_ZONE_HERE'" |  mysql -p opendnssec

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list