[Cryptech Core] plan

Leif Johansson leifj at sunet.se
Sat Jul 18 06:01:26 UTC 2015




> 18 jul 2015 kl. 07:28 skrev Rob Austein <sra at hactrn.net>:
> 
> At Sat, 18 Jul 2015 04:44:14 +0200, Randy Bush wrote:
>> 
>> it is not clear from email what the client opendsnsec signer host can
>> be.  can it be a user's mac/ubuntu/... or does it need a 32-bit machine.
> 
> Jakob and Leif are the authorities on this, but am pretty sure the
> signer itself requires a 32-bit machine in this setup.
> 
> Just to get everybody on the same page here, the main problems
> yesterday were not in Cryptech code per se, they were in:
> 
> a) OpenDNSSEC itself, which doesn't run on ARM this week; and


actually the crypto bits run just fine, its all the ancillary stuff needed to parse & generate zonefiles that isn't ported to arm

> 
> b) pkcs11-proxy (the third-party tool Jakob and Leif are using to
>   extrude PKCS #11 over the net so we can use the Novena as an HSM
>   while running OpenDNSSEC itself elsewhere), which apparently cannot
>   cope with client and server on machines with different word sizes.
> 


> Bottom line is that the OpenDNSSEC signer needs to run on a 32-bit
> i386 VM, preferably running Ubuntu rather than Debian due to bugs in
> pkcs11-proxy's packaging.

For testing you can just build pkcs11-proxy wo packaging it - wrote build+setup instructions on wiki.cryptech.is/PKCS11Proxy

> 
>> if the latter, can the workshop attendee who does not have a 32-bit vm
>> (or we) just set up a signer account on each movena?
> 
> Not sure what you mean by this, but if you're asking whether it works
> to run OpenDNSSEC itself on the Novena, the answer is no, see (a).
> _______________________________________________
> Core mailing list
> Core at cryptech.is
> https://lists.cryptech.is/listinfo/core




More information about the Core mailing list