hi Ulrich
Not Yubikey but Smartcard-HSM (which IIRC is effectively the same thing as a Nitrokey)
Have you seen this blog post form Jan-Piet Mens ?
https://jpmens.net/2021/06/04/using-a-smartcard-hsm-for-dnssec-with-bind/
It would be nice if the Knot developers supported some sort of http API call-out option
for HSM signing because it would enable you to do this concept for YubiHSM:
https://support.yubico.com/s/article/YubiHSM-2--A-load-balanced-design-for-…
N.B. If you are limited to using one YubiHSM (or one NitroHSM), then you will likely
encounter throughput issues. And so you perhaps might need to think about a key-wrapping
setup where a key stored on-disk gets un-wrapped on boot before knot starts.
Good luck, keep us updated on your progress !
On Thursday, 2 October 2025 at 19:43, Ulrich Wisser via knot-dns-users
<knot-dns-users(a)lists.nic.cz> wrote:
Hello!
Has anybody here got knot to sign with a Yubikey HSM?
Asking for a friend! :-)
/Ulrich
--