GitLab

The problem in this instance was that the pin code was incorrect. But at this point the problem could have been several - for example that the pkcs#11 library wasn't accessible or something like that. After heading off on the wrong track for quite some time, we eventually uncovered where the issue was.

# dnssec-keyfromlabel -v 5 -a RSASHA256 -l 'pkcs11:pin-source=/etc/named/hsmpin;object=sample_ksk' -K /etc/named/keys -f KSK example.com
pk11.c:564: fatal error: pkcs_C_Login: Error = 0x000000A0

I suspect that it's out of our hands to be able to interpret an error passed back to us by another lib, but what might be more helpful could be a summary of how far dnssec-key-label had got, so we know where not to look for the problem and maybe some suggestions for further troubleshooting?

In the above example, the PKCS#11 provider libs had been loaded OK, but the pin was wrong. Perhaps the error could indicate what the BIND code was trying to do (at a higher level) when it all went wrong?

(From Support ticket #14117 )