Hello,

I would like to ask you if you would accept patch set with support for TSIG
operations using PKCS#11.

Motivation: We have something like networked HSM and we are trying to solve
TSIG key distribution problem.


The raw idea is that dnssec-keyfromlabel could generate keys files for TSIG
algorithms and these files could be used with nsupdate -k file.

PKCS#11 standard v2.30 contains all the necessary methods (CKM_SHA_1_HMAC and
others) so it should be 'just' a matter of implementing proper DST binding ...
Am I right?

The only problem I found is that 'rndc tsig-list' does not list TSIG keys
generated using dnssec-keygen and stored in 'keys-directory'. Is it fixable?

Maybe it could allow TSIG key addition/removal at run-time as a side-effect
(if we somehow hack 'rndc loadkeys' to reload TSIG keys too).

What do you think?

Thank you for your time!

-- 
Petr Spacek  @  Red Hat