[Cryptech Core] dnssec signer

[Rob Austein]

At Tue, 14 Jul 2015 12:44:47 +0200, Jakob Schlyter wrote:
> 
> Using OpenDNSSEC sucks less IMHO since we also get the hsm- toolset.

Which is good for what, exactly?  Serious question, not scoffing.

> I will tweek my OpenDNSSEC training material to cover what's needed,
> shouldn't take more than an hour friday morning.

"What could possibly go wrong?"

At Tue, 14 Jul 2015 16:49:41 +0200, Jakob Schlyter wrote:
> 
> > which is easier for user to set up and run when what is of
> > interest is not the dns code?
> 
> IMHO, OpenDNSSEC. At least, it's better documented for PKCS#11.

Probably true, although I will confess that OpenDNSSEC configuration
makes my head hurt and I was only planning to use the BIND 9.10
command line tools (both for relative simplicity and because named
needs more algorithms than we can fit in the Novena's FPGA).

BIND 9.10 does have some PKCS #11 doc.  Like much of BIND's doc, it
even sort of makes sense after one already understands what it's
trying to explain.

> I think we should provide the API calls needed to support BIND
> 9.10. If easy, now is better than later. I can help testing Friday.

Stalled waiting for Verilog support (hash core state save/restore).