X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.27
CC: Tomas Hozza <thozza@redhat.com>
MIME-Version: 1.0
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
Content-Type: text/plain; charset=utf-8
Message-ID: <546678C0.6040008@redhat.com>
Organization: Red Hat
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id F26C92D20571 for <bind-suggest@bugs.isc.org>; Fri, 14 Nov 2014 21:48:54 +0000 (UTC)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.redhat.com", Issuer "DigiCert SHA2 Extended Validation Server CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id B5E991FCAD0 for <bind-suggest@isc.org>; Fri, 14 Nov 2014 21:48:52 +0000 (UTC)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAELmouR029976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <bind-suggest@isc.org>; Fri, 14 Nov 2014 16:48:50 -0500
Received: from pspacek.brq.redhat.com (vpn1-6-179.ams2.redhat.com [10.36.6.179]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sAELmmEs024470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 14 Nov 2014 16:48:49 -0500
Delivered-To: bind-suggest@bugs.isc.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
Subject: PKCS#11 support for TSIG algorithms
Return-Path: <pspacek@redhat.com>
X-Original-To: bind-suggest@bugs.isc.org
Date: Fri, 14 Nov 2014 22:48:48 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org
To: bind-suggest@isc.org
Content-Transfer-Encoding: 8bit
From: Petr Spacek <pspacek@redhat.com>
X-RT-Original-Encoding: utf-8
Content-Length: 897

Hello,

I would like to ask you if you would accept patch set with support for TSIG
operations using PKCS#11.

Motivation: We have something like networked HSM and we are trying to solve
TSIG key distribution problem.


The raw idea is that dnssec-keyfromlabel could generate keys files for TSIG
algorithms and these files could be used with nsupdate -k file.

PKCS#11 standard v2.30 contains all the necessary methods (CKM_SHA_1_HMAC and
others) so it should be 'just' a matter of implementing proper DST binding ...
Am I right?

The only problem I found is that 'rndc tsig-list' does not list TSIG keys
generated using dnssec-keygen and stored in 'keys-directory'. Is it fixable?

Maybe it could allow TSIG key addition/removal at run-time as a side-effect
(if we somehow hack 'rndc loadkeys' to reload TSIG keys too).

What do you think?

Thank you for your time!

-- 
Petr Spacek  @  Red Hat