Utimaco Bind 9, Integration Manual

Page: 14 / 20

Integration Guide: Bind 9
5 Generate Keys and Sign a Domain Zone
In this chapter we generate a zone-signing key (ZSK) and a key-signing key (KSK) using the tools
pkcs11-keygen and dnssec-keyfromlabel provided by BIND and use them to sign a domain zone. The
first tool is used to actually generate the keys in HSM and the second tool generates the key files for
BIND containing a public key and an identifier of the actual private key. Since slot 0 is the only one
we initialized in chapter 4.2 so far, we will choose this for BIND configuration now.
1. Run the following commands to generate a zone-signing key and a key-signing key
# pkcs11-keygen -b 2048 -l ksk
# pkcs11-keygen -b 1024 -l zsk
The parameter -b specifies the key size and -l the label of the key pair. Since the library path was
exported, it is not necessary to specify it using the parameter -m (module) any more. You will
be prompted to enter the user pin for the PKCS#11 slot.
2. Switch to the default folder for zone files and generate the key files for BIND
# dnssec-keyfromlabel -l ksk -f KSK utimaco.com
# dnssec-keyfromlabel -l zsk utimaco.com
The parameter -l specifies the label again and after -f follows the key flag. The key files are
generated for a specific zone which in this case is ”utimaco.com”. Now you should find the cor-
responding key files in the current directory which are composed of K<zone name>.+<numeric
representation of the key file>+<key identifier>.(key|private). It is not necessary to add the -E
(engine) parameter here because BIND was build with the -with-pkcs11 option in the first place.
This sets the CryptoServer PKCS#11 engine to default.
3. Before you can sign a zone, it is necessary to add the contents of both K*.key files or to include
them by reference - using the key file names - to the zone master file. Open the zone file and
add the following lines e.g.
$include Kutimaco.com.+005+35677.key
$include Kutimaco.com.+005+63263.key
4. Finally sign the zone
Linux
Page 14