Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 577
    • Issues 577
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 111
    • Merge requests 111
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #832
Closed
Open
Issue created Jan 23, 2019 by Cathy Almond@cathyaDeveloper

"dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256: no PKCS#11 provider" could be more helpful

In the circumstances when it was encountered, the error emitted above when dnssec-keyfromlabel terminated with a fatal error was not helpful for troubleshooting the problem.

What it actually meant (in this instance) was that the syntax of the options provided to the native pkcs11 library was at fault, therefore the library call failed. It didn't mean that the library was inaccessible (although it wasn't possible to access the HSM because of this error).

Since the syntax is defined in the ARM:

       Keywords include "token", which identifies the HSM; "object", which
       identifies the key; and "pin-source", which identifies a file from
       which the HSM's PIN code can be obtained.  The label will be
       stored in the on-disk "private" file.

Perhaps it would have been more useful to parse what was provided and emit a more helpful error if it was not acceptable - or even not to parse but to suggest that the library rejected what it was given - it wasn't that there was no library available (which is what it looks like from the words being used).

(From Support ticket #14117 )

Assignee
Assign to
Time tracking