dnssec-keyfromlabel
[root@HDD-TEST dnssec]# /opt/dean/bind9/sbin/named -V BIND 9.14.9 (Stable Release) <id:623e23e> running on Linux x86_64 2.6.32-754.25.1.el6.x86_64 #1 SMP Mon Dec 23 15:19:53 UTC 2019 built by make with '--prefix=/opt/dean/bind9' '--enable-native-pkcs11' '--with-pkcs11=/opt/dean/hsm/libdapkcs11.so' '--with-openssl=/opt/dean/openssl-1.1.1d' '--with-python=/usr/local/python27/bin/python'
dnssec-keyfromlabel -E engine
Specifies the cryptographic hardware to use.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".
` [root@HDD-TEST dean]# /opt/dean/bind9/sbin/dnssec-keyfromlabel -h Usage: dnssec-keyfromlabel -l label [options] name
Version: 9.14.9 Required options: -l label: label of the key pair name: owner of the key Other options: -a algorithm: DH | RSASHA1 | NSEC3RSASHA1 | RSASHA256 | RSASHA512 | ECDSAP256SHA256 | ECDSAP384SHA384 -3: use NSEC3-capable algorithm -c class (default: IN) -E : ** path to PKCS#11 provider library (default is /opt/dean/hsm/libdapkcs11.so)** `
From the help information output by dnssec-keyfromlabel, the engine is already available. Why can't I find the engine when I execute the complete command?
` [root@HDD-TEST dean]# /opt/dean/bind9/sbin/dnssec-keyfromlabel -a RSASHA256 -l "'DA_SJY_RSA_PRIKEY2';type=private;pin-value=12345" -K ./keys -P now -A now+315360000 -I now+315360000 -D now+315360000 test.cn dnssec-keyfromlabel: fatal: failed to get key test.cn/RSASHA256: no PKCS#11 provider
`