On Mon Nov 24 21:42:58 2014, pspacek@redhat.com wrote:
> Hello,
> 
> and thank you for your answer!
> 
> On 15.11.2014 00:20, Francis Dupont via RT wrote:
> > I am currently out of my office (~12000 km) and
> > I'll go back in some hours, so I apologise for
> > the likely delay for a detailed answer.
> >
> > BTW there is a new PKCS#11 standard (specs
> > still required a final vote, include files are not
> > yet available) but it won't change something as
> > HMAC has been covered since a long time.
> >
> > The native PKCS#11 supports *all* the standard
> > crypto functions needed by named, including hash
> > and HMAC. So there is nothing to change on this side.
> >
> > If I understand well you'd like to put secrets in the HSM.
> Yes, exactly.
> 
> > Currently this is supported only for RSA and ECDSA
> > key pairs (look for a fromlabel methos in dst_funct
> > arrays. Note for OpenSSL only RSA keys are supported
> > (sound as ECC is not supported by the PKCS#11
> > OpenSSL engine).
> I'm thinking more about direct/native PKCS#11 support.

=> I agree and I just commented the fact the OpenSSL
stuff is already far behind..

> OpenSSL's PKCS#11
> engine never worked for me and generally with standard
> Red Hat packages ...

=> not really surprised (I wrote the native PKCS#11 code
because the OpenSSL PKCS#11 engine was impossible
to debug/maintain/support... it started as a private
experiment but It was so successful it was adopted
for official distribs)

> > Anyway it seems reasonable to extend fromlabel to
> > HMAC secrets as HMAC is already in the DST stuff.
> > Now I need the opinion of my colleagues if the result
> > will be to get a PKCS#11 specific feature.

=> I postpone this point as the next one is required
if we want to go further.

> > Note I don't yet fully understand your point about
> > rndc tsig-list. I am afraid the current only way to
> > configure TSIG keys (aka secrets) is to put them
> > in the named config file... Surely something which
> > requires ASAP improvements...
> 
> You understand me perfectly. I was making the point that
> TSIG keys stored in key files (produced by dnssec-keygen)
> located in "keys-directory" are ignored
> by named and and are not usable in zone "update-policy".
> 
> Maybe this could be a way how to separate keys from
> named config file and to allow dynamic key management
> at run-time (with an equivalent of rndc loadkeys
> for these TSIG keys).

=> IMHO this is enough to get its own ticket
(I leave my colleagues to create it in the case they agree).

Thanks