[Cryptech Tech] Cryptech & bind 9

[Francis Dupont]

I've managed to use a Cryptech (last hardware with last software but
no FPGA ECC as jumpers JP7 and JP8 (*) were not installed) with bind 9.

It worked well (pass pkcs11 system test) with a few bind bug fixes:
 - to disable MD5 broke a RSA check
 - pkcs11 system test needed to be updated
 - as ECC was not accelerated by the FPGA the nsupdate over UDP timed out
The last point is for general interest: as some operations can be slower
than expected please enforce the use of TCP for nsupdate.

Some questions/comments:
 (*) I think the JP8 is the JP7 next jumper and there is a JP9 after
  on the same bank?

  - if (when?) HMAC mechanisms will be available in the PKCS#11 code,
   don't put too big ulMinKeySize's: SoftHSMv2 moved from 0 to some
   values and now some bind 9 system tests fail (IMHO more because
   they used very small sizes than because SoftHSMv2 is too strict
   but I didn't look at these yet)

 - with DNSSEC and inline signings or dynamic updates the DNS server
  must be able to sign so the PIN must be available somewhere, usually
  in a file. So it is not insteresting for this particular usage to
  have a strong (and slow!) password system.

 - is there some news about Ed25519 support? I've just finished some
  experiments with it (adding Ed25519 support with OpenSSL and PKCS#11
  crypto backends) so I am ready to play and/or help...

 - same question about Ed448? BTW Cryptech can become the first HSM
  supporting Ed448!

Thanks

Francis.Dupont at fdupont.fr