MIME-Version: 1.0 In-Reply-To: <546678C0.6040008@redhat.com> X-Mailer: MIME-tools 5.428 (Entity 5.428) Content-Disposition: inline References: <546678C0.6040008@redhat.com> Content-Type: text/plain; charset="UTF-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: Content-Length: 1181 I am currently out of my office (~12000 km) and I'll go back in some hours, so I apologise for the likely delay for a detailed answer. BTW there is a new PKCS#11 standard (specs still required a final vote, include files are not yet available) but it won't change something as HMAC has been covered since a long time. The native PKCS#11 supports *all* the standard crypto functions needed by named, including hash and HMAC. So there is nothing to change on this side. If I understand well you'd like to put secrets in the HSM. Currently this is supported only for RSA and ECDSA key pairs (look for a fromlabel methos in dst_funct arrays. Note for OpenSSL only RSA keys are supported (sound as ECC is not supported by the PKCS#11 OpenSSL engine). Anyway it seems reasonable to extend fromlabel to HMAC secrets as HMAC is already in the DST stuff. Now I need the opinion of my colleagues if the result will be to get a PKCS#11 specific feature. Note I don't yet fully understand your point about rndc tsig-list. I am afraid the current only way to configure TSIG keys (aka secrets) is to put them in the named config file... Surely something which requires ASAP improvements...