Update the BIND ARM to clarify which algorithms are supported with HSMs using patched OpenSSL vs. native pkcs11
Per Support ticket #15888, it was not clear from the BIND ARM that patched-OpenSSL doesn't support ECDSA when accessing an HSM.
For example:
dnssec-keyfromlabel -a 13 -E pkcs11 -l "pkcs11:<key ID redacted>" -3 testzone
dnssec-keyfromlabel: fatal: failed to get key testzone/ECDSAP256SHA256: algorithm is unsupportedand:
pkcs11-keygen -a ECDSAP256SHA256 -b 1024 -l iscissue02
prime256v1 and secp3841r1 are not supportedThe HSM in use does support ECDSAP256SHA256 (algorithm 13), and the key with the ID being requested in the first example had previously been created using OpenDNSSEC, and confirmed to be present in the HSM using pkcs11-list, although it was not possible to create a similar key directly using pkcs11-keygen (second example showing lack of support for ECDSA in the BIND tools built this way).
Inspection of the patch for OpenSSL (~/bin/pkcs11/openssl-1.0.2h-patch) revealed that it does not add support for ECDSA, which is why the tools are unable to access or create keys in the HSM using algorithm 13, even though the HSM itself supports this.
This was a surprise - please can the ARM be updated to make the limitations of patched-OpenSSL HSM support a lot clearer.