MIME-Version: 1.0
In-Reply-To: <rt-4.2.8-25287-1471965522-1399.43093-0-0@isc.org>
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-43093@isc.org>
 <03637BE8BAAD41E05305FCC2@ogg.in.absolight.net>
 <rt-4.2.8-25287-1471960689-1988.43093-5-0@isc.org>
 <FDA648CEFCA90C65C7BA29B4@ogg.in.absolight.net>
 <rt-4.2.8-36130-1471962407-1358.43093-5-0@isc.org>
 <1EAEA4EC0C2072DA3EDB47A9@ogg.in.absolight.net>
 <rt-4.2.8-25287-1471965522-1399.43093-0-0@isc.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.2.8-36130-1471966563-210.43093-0-0@isc.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
RT-Send-CC:
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 616

On Tue Aug 23 15:18:42 2016, mat@FreeBSD.org wrote:
> So, the OP says that if the BIND9 port is built with the native-pkcs11
> option, it fails with:
> 
> root@freebsd:~ # dnssec-keyfromlabel -l
> 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' -a RSASHA256 -f KSK
> -v3  -E /usr/local/lib/softhsm/libsofthsm2.so example.com
> dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256: built
> with no crypto support

=> can you check the configure log? There was a bug (was = fixed now)
in configure which can mess the crypto selection and
can give no crypto at all (i.e., not OpenSSL nor PKCS#11).