On Tue, 7 Dec 2021, 08:15 Stuart Henderson, <s...@spacehopper.org> wrote:
> > I'll try to find time to look at it soon. > Great. Thank you. And sorry in advance if I might be asking something totally stupid as I am not a developer, only trying to understand the tools I use: Not assuming to know enough about the signing process itself, which I dont, isn't opendnssec using ldns merely for simple verification and handling of keys stored in the PKCS#11 interface, in this case softhsm? Are those keys not being generated by softhsm itself, which is in openbsd built for using botan2 crypto libraries? Are opendnssec/libhsm not interacting with softhsm via API functions for tasks that include, among others, the key generation, digest, encrypt/decrypt, signing? The ed25519 curve key successful generation and ed448 curve key failure appears to be consistent with the code from opendnssec/softhsmv2/src/lib/crypto/botaneddsa.cpp and bin/util/softhsm2-util-botan (github). Again, not trying to assume anything, just really hoping for resolution to this issue of opendnssec suddenly loosing capability to provide dnssec with eddsa algorithm 15 using nsd on openbsd servers. Changing algorithms of online domains means either loosing connectivity for a while or turning dnssec off altogether first. Of course even better would be to see a completion of the bits and pieces missing in libressl to finally provide for the usage of these and other more up to date crypto libraries and functions that are still missing in openbsd... But this is beyond the scope of our subject. Thank you and all openbsd contributors for such an amazing work you do. Ppmiguel ------------
