26 Lis
2018
26 Lis
'18
11:55
Hi Christian,
I have checked out your Knot configuration, and I suspect that the issue
might be a missing keystore option in the policy section of your
configuration. Try specifying the ID of the PKCS11 keystore in the
policy section as follows:
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
*keystore: a1a1*
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
Let us know if this helps.
Best regards,
Mark
On 26. 11. 18 9:49, Christian Petrasch wrote:
Hi @ all,
we are testing with softhsm 2.5 and KNOT 2.7.4...
I try to import the keys inside softhsm into keymgr to sign with this
a example zone.
The keymaterial is shown via pkcs11-tool:
[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module
/usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
label: testKSK_1
ID: a1a1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: testZSK_1
ID: a1b1
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: testZSK_1
ID: a1b1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: testKSK_1
ID: a1a1
Usage: encrypt, verify, wrap
######
The KNOT config is :
[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain: example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###################
And if I try to import the key into keymgr i run the command:
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com.
import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
###
I don't know how I can fix this.. maybe anybody can help me ? The
documentation of KNOT is very good.. but at this point it is a little
bit insufficient. Does anybody has examples for this ?
Thanks a lot in advance for the help..
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch(a)denic.de
http://www.denic.de <http://www.denic.de/>
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main