Using Loop's PKCS#11 support for DNSSEC signing
July 5, 2025
This is an example of how to use Loop's PKCS#11 support to perform DNSSEC zone signing with keys stored in HSMs (hardware security modules).
-
This example uses the SoftHSMv2 PKCS#11 provider for demonstration.
-
In real-world usage, you would use the PKCS#11 provider module provided by your HSM vendor.
-
For some smart cards and USB tokens, you may be able to use the PKCS#11 provider provided by the OpenSC project.
To bridge between the PKCS#11 provider module and the OpenSSL library, an OpenSSL provider module called pkcs11-provider is used.
Programs in Loop call the OpenSSL library, which calls the pkcs11-provider OpenSSL provider, which in turn calls the HSM vendor's PKCS#11 provider (SoftHSMv2 in this example).
Install dependencies
As the root user or using sudo, install the SoftHSMv2,
pkcs11-provider, and p11-kit packages for your
platform. p11-kit provides the program p11tool which you may
optionally use to manipulate tokens on the HSM.
For example, on Red Hat Enterprise Linux 10 or Fedora platforms, you may use the following command to install these packages:
[user@host ~]$ sudo dnf install softhsm pkcs11-provider p11-kit
On RHEL, the softhsm package should be available as a part of
AppStream.
Create a working directory
For this example, we will create a sub-directory called pkcs11/ as our
working directory and store almost everything relative to this
directory. In real-world usage, you can store configuration and data in
system directories and modify paths accordingly.
[user@host ~]$ mkdir pkcs11
[user@host ~]$ cd pkcs11
[user@host ~/pkcs11]$
Configure SoftHSMv2
Let us configure and setup SoftHSMv2. SoftHSMv2 stores tokens in a
directory on the filesystem. We create a sub-directory within the
pkcs11/ directory for it, and create a softhsm2.conf file to
configure SoftHSMv2 to use this directory. We also set the
SOFTHSM2_CONF environment variable to tell SoftHSMv2 that it should
use our softhsm2.conf file.
[user@host ~/pkcs11]$ mkdir softhsm2-tokendir
[user@host ~/pkcs11]$ cat > softhsm2.conf
directories.tokendir=softhsm2-tokendir
[user@host ~/pkcs11]$ export SOFTHSM2_CONF=softhsm2.conf
[user@host ~/pkcs11]$
Next, we initialize a SoftHSMv2 token so we may use it. We also assign a PIN of "1234" (you may use a different PIN if you like):
[user@host ~/pkcs11]$ softhsm2-util --init-token --free --label "example" --pin 1234 --so-pin 1234
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 2076677265
[user@host ~/pkcs11]$ softhsm2-util --token example --show-slots
Available slots:
Slot 2076677265
Slot info:
Description: SoftHSM slot ID 0x7bc79491
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: 74a2bc56fbc79491
Initialized: yes
User PIN init.: yes
Label: example
Slot 1
Slot info:
Description: SoftHSM slot ID 0x1
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number:
Initialized: no
User PIN init.: no
Label:
[user@host ~/pkcs11]$
(The slot number it assigns may differ for you as it is chosen randomly; it does not matter.)
We can use p11tool to determine the PKCS#11 URI for the token. This
URI will be used later in our example.
[user@host ~/pkcs11]$ p11tool --list-token-urls | grep "example"
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=74a2bc56fbc79491;token=example
[user@host ~/pkcs11]$
You can also notice newly created files in softhsm2-tokendir/:
[user@host ~/pkcs11]$ find softhsm2-tokendir/
softhsm2-tokendir/
softhsm2-tokendir/b595ca7b-14c8-d5fd-74a2-bc56fbc79491
softhsm2-tokendir/b595ca7b-14c8-d5fd-74a2-bc56fbc79491/token.object
softhsm2-tokendir/b595ca7b-14c8-d5fd-74a2-bc56fbc79491/generation
softhsm2-tokendir/b595ca7b-14c8-d5fd-74a2-bc56fbc79491/token.lock
[user@host ~/pkcs11]$
Configure OpenSSL
Let us now configure OpenSSL to use pkcs11-provider, and
pkcs11-provider to use SoftHSMv2. We create an openssl.cnf
file to configure OpenSSL. We also set the OPENSSL_CONF environment
variable to tell OpenSSL that it should use our openssl.cnf file.
[user@host ~/pkcs11]$ cat > openssl.cnf
HOME = .
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
activate = 1
[pkcs11_sect]
module = pkcs11.so
pkcs11-module-path = /usr/lib/softhsm/libsofthsm2.so
pkcs11-module-token-pin = 1234
pkcs11-module-quirks = no-deinit
activate = 1
[user@host ~/pkcs11]$ export OPENSSL_CONF=openssl.cnf
[user@host ~/pkcs11]$
In the above configuration, a pkcs11 OpenSSL provider module is
configured in the pkcs11_sect section. It uses the pkcs11.so module
installed as part of the pkcs11-provider package into the OpenSSL
ossl-modules directory (typically somewhere within /usr/lib/).
pkcs11-module-pathconfigures pkcs11-provider to use the SoftHSM2 PKCS#11 provider. In case this path is incorrect, please use the correct path tolibsofthsm2.soon your host.pkcs11-mode-token-pinconfigures the PIN to access the SoftHSMv2 token. It is configured here as it is a tutorial, but you may want to leave it out for security, and you'll be prompted to provide the PIN every time the token is used.pkcs11-module-quirksconfigures quirks in pkcs11-provider. Here,no-deinitis configured to ask pkcs11-provider not to perform deinitialization during shutdown of the PKCS#11 module. On some supported platforms, the currently available version of SoftHSMv2 does not deinitialize properly and crashes. The available quirks are documented in the provider-pkcs11 manpage.
Please consult the OpenSSL documentation for more details about what the various configuration elements mean.
Create a DNSKEY by generating or importing keys
We will create a DNSKEY to sign the example.com. zone. There are two
approaches to creating it. We can:
- Generate a new DNSKEY on the HSM
- Import an existing key from the HSM
In both cases, the .private file of the DNSKEY file pair that is
created contains a label referring to the HSM. It doesn't contain
any private key material (which lives within the HSM). The .key file
of the DNSKEY file pair that is created contains the public key as a
DNSKEY record.
Both approaches are described in the section below.
Create a DNSKEY by generating it
The
dnssec-keygen
program can be used to generate a key on a HSM. We have to provide a
label or a full PKCS#11 URI for an object to store the key into,
using the dnssec-keygen -l argument. In this case, we will use a
PKCS#11 URI, and label the key as my-rsa-2048. So we append
;object=my-rsa-2048 to the URI that p11tool returned above.
We create a DNSKEY on the HSM with algorithm RSASHA256; the RSA key is
2048 bits in size:
[user@host ~/pkcs11]$ dnssec-keygen -l "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=74a2bc56fbc79491;token=example;object=my-rsa-2048" -a RSASHA256 -b 2048 -n ZONE example.com
Generating key pair.
Kexample.com.+008+44679
[user@host ~/pkcs11]$ cat Kexample.com.+008+44679.private
Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus: pyBJmKobVVB4NJpEYqUIsY46DZwH47dYCDCQX4qGJ2d2wbX8h9wdw8onhSpgpF5BiqfJ0uKEBx/OwsPa5FkYRRouTxXtP2BoWpq+ZRWBJssn+H7Z7Zn7BMNVyZpMiYaC5eMqWDT9N6HnD8fa6hTx8mC+5vhTT76A7FE4r5bukH48RXUfIJh4h1ipG2sGbya/nwTI22SJdnZpwhDpanqn1Li4zgH/ciy3ktdkVxD+3cgp07mSO2PowrDv7Qeyga3tRyYGO3rwHxPsbF8syj7FNCpWwFbTOUS67ooykPxV3RhevOOFTj1SRH4mpbuvNa4RY/ekPpUwcbuZuBiX0UAr9Q==
PublicExponent: AQAB
Label: cGtjczExOm1vZGVsPVNvZnRIU00lMjB2MjttYW51ZmFjdHVyZXI9U29mdEhTTSUyMHByb2plY3Q7c2VyaWFsPTc0YTJiYzU2ZmJjNzk0OTE7dG9rZW49ZXhhbXBsZTtvYmplY3Q9bXktcnNhLTIwNDgA
Created: 20250705122326
Publish: 20250705122326
Activate: 20250705122326
[user@host ~/pkcs11]$ cat Kexample.com.+008+44679.key
; This is a zone-signing key, keyid 44679, for example.com.
; Created: 20250705122326 (Sat Jul 5 20:23:26 2025)
; Publish: 20250705122326 (Sat Jul 5 20:23:26 2025)
; Activate: 20250705122326 (Sat Jul 5 20:23:26 2025)
example.com. IN DNSKEY 256 3 8 AwEAAacgSZiqG1VQeDSaRGKlCLGOOg2cB+O3WAgwkF+KhidndsG1/Ifc HcPKJ4UqYKReQYqnydLihAcfzsLD2uRZGEUaLk8V7T9gaFqavmUVgSbL J/h+2e2Z+wTDVcmaTImGguXjKlg0/Teh5w/H2uoU8fJgvub4U0++gOxR OK+W7pB+PEV1HyCYeIdYqRtrBm8mv58EyNtkiXZ2acIQ6Wp6p9S4uM4B /3Ist5LXZFcQ/t3IKdO5kjtj6MKw7+0HsoGt7UcmBjt68B8T7GxfLMo+ xTQqVsBW0zlEuu6KMpD8Vd0YXrzjhU49UkR+JqW7rzWuEWP3pD6VMHG7 mbgYl9FAK/U=
[user@host ~/pkcs11]$
The value of the Label: field printed above from the
Kexample.com.+008+44679.private file is a Base64 encoded PKCS#11 URI
string of the object. There is no private key material in this file, and
this file serves like a symbolic link to the object my-rsa-2048 in the
HSM.
[user@host ~/pkcs11]$ echo -n "cGtjczExOm1vZGVsPVNvZnRIU00lMjB2MjttYW51ZmFjdHVyZXI9U29mdEhTTSUyMHByb2plY3Q7c2VyaWFsPTc0YTJiYzU2ZmJjNzk0OTE7dG9rZW49ZXhhbXBsZTtvYmplY3Q9bXktcnNhLTIwNDgA" | base64 -d; echo
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=74a2bc56fbc79491;token=example;object=my-rsa-2048
[user@host ~/pkcs11]$
(The DNSKEY key ID it assigns may differ for you as it is chosen randomly; it does not matter.)
See the
dnssec-keygen(1)
manpage for more details on its usage.
Create a DNSKEY by importing it from the HSM
Alternatively, the
dnssec-keyfromlabel
program can be used to import an existing key from a HSM. The public key
is imported. We have to provide a label or a full PKCS#11 URI of an
object to import the key from, using the dnssec-keyfromlabel -l
argument. In this case, we will use a PKCS#11 URI, and assume the
existing object is labeled my-rsa-2048. So we append
;object=my-rsa-2048 to the URI that p11tool returned above.
We create a DNSKEY with algorithm RSASHA256 by importing an existing
key labelled my-rsa-2048 from the HSM:
[user@host ~/pkcs11]$ dnssec-keyfromlabel -l "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=74a2bc56fbc79491;token=example;object=my-rsa-2048" -a RSASHA256 -n ZONE example.com
Kexample.com.+008+44679
[user@host ~/pkcs11]$ cat Kexample.com.+008+44679.key
; This is a zone-signing key, keyid 44679, for example.com.
; Created: 20250705125450 (Sat Jul 5 20:54:50 2025)
; Publish: 20250705125450 (Sat Jul 5 20:54:50 2025)
; Activate: 20250705125450 (Sat Jul 5 20:54:50 2025)
example.com. IN DNSKEY 256 3 8 AwEAAacgSZiqG1VQeDSaRGKlCLGOOg2cB+O3WAgwkF+KhidndsG1/Ifc HcPKJ4UqYKReQYqnydLihAcfzsLD2uRZGEUaLk8V7T9gaFqavmUVgSbL J/h+2e2Z+wTDVcmaTImGguXjKlg0/Teh5w/H2uoU8fJgvub4U0++gOxR OK+W7pB+PEV1HyCYeIdYqRtrBm8mv58EyNtkiXZ2acIQ6Wp6p9S4uM4B /3Ist5LXZFcQ/t3IKdO5kjtj6MKw7+0HsoGt7UcmBjt68B8T7GxfLMo+ xTQqVsBW0zlEuu6KMpD8Vd0YXrzjhU49UkR+JqW7rzWuEWP3pD6VMHG7 mbgYl9FAK/U=
[user@host ~/pkcs11]$ cat Kexample.com.+008+44679.private
Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus: pyBJmKobVVB4NJpEYqUIsY46DZwH47dYCDCQX4qGJ2d2wbX8h9wdw8onhSpgpF5BiqfJ0uKEBx/OwsPa5FkYRRouTxXtP2BoWpq+ZRWBJssn+H7Z7Zn7BMNVyZpMiYaC5eMqWDT9N6HnD8fa6hTx8mC+5vhTT76A7FE4r5bukH48RXUfIJh4h1ipG2sGbya/nwTI22SJdnZpwhDpanqn1Li4zgH/ciy3ktdkVxD+3cgp07mSO2PowrDv7Qeyga3tRyYGO3rwHxPsbF8syj7FNCpWwFbTOUS67ooykPxV3RhevOOFTj1SRH4mpbuvNa4RY/ekPpUwcbuZuBiX0UAr9Q==
PublicExponent: AQAB
Label: cGtjczExOm1vZGVsPVNvZnRIU00lMjB2MjttYW51ZmFjdHVyZXI9U29mdEhTTSUyMHByb2plY3Q7c2VyaWFsPTc0YTJiYzU2ZmJjNzk0OTE7dG9rZW49ZXhhbXBsZTtvYmplY3Q9bXktcnNhLTIwNDgA
Created: 20250705125450
Publish: 20250705125450
Activate: 20250705125450
[user@host ~/pkcs11]$
Unlike the dnssec-keygen command in the previous section, no key size
can be specified when using dnssec-keyfromlabel as the key is already
present in the HSM and has its existing key size.
The value of the Label: field printed above from the
Kexample.com.+008+44679.private file is a Base64 encoded PKCS#11 URI
string of the object. There is no private key material in this file, and
this file serves like a symbolic link to the object my-rsa-2048 in the
HSM.
[user@host ~/pkcs11]$ echo -n "cGtjczExOm1vZGVsPVNvZnRIU00lMjB2MjttYW51ZmFjdHVyZXI9U29mdEhTTSUyMHByb2plY3Q7c2VyaWFsPTc0YTJiYzU2ZmJjNzk0OTE7dG9rZW49ZXhhbXBsZTtvYmplY3Q9bXktcnNhLTIwNDgA" | base64 -d; echo
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=74a2bc56fbc79491;token=example;object=my-rsa-2048
[user@host ~/pkcs11]$
See the
dnssec-keyfromlabel(1)
manpage for more details on its usage.
Sign a DNS zone using the DNSKEY
Now that we have the Kexample.com.+008+44679.key and
Kexample.com.+008+44679.private files, we can sign a master file for
the example.com zone. We use the the
dnssec-signzone program to sign zones.
Let's create a sample master file for the example.com. zone, and also
check that it is syntactically correct:
[user@host ~/pkcs11]$ cat > example.com.db
$TTL 3600
example.com. IN SOA . . 2025070500 600 600 1200 600
example.com. NS ns1.example.com.
ns1.example.com. A 127.0.0.1
example.com. A 127.0.0.1
[user@host ~/pkcs11]$ named-checkzone example.com example.com.db
zone example.com/IN: loaded serial 2025070500
OK
[user@host ~/pkcs11]$
This zone's data can be signed now using the HSM. We use smart signing
by calling dnssec-signzone -S so that it discovers the DNSKEY
automatically in the Kexample.com.+008+44679.key and
Kexample.com.+008+44679.private files.
[user@host ~/pkcs11]$ dnssec-signzone -S -z -o example.com example.com.db
Fetching ZSK 44679/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 0 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
example.com.db.signed
[user@host ~/pkcs11]$
The signed zone's data is saved to the master file
example.com.db.signed and has the following content:
[user@host ~/pkcs11]$ cat example.com.db.signed
; File written on Sat Jul 5 21:22:21 2025
; dnssec-signzone version 1.99.3.20250623003957.08c26b66c1
example.com. 3600 IN SOA . . (
2025070500 ; serial
600 ; refresh (10 minutes)
600 ; retry (10 minutes)
1200 ; expire (20 minutes)
600 ; minimum (10 minutes)
)
3600 RRSIG SOA 8 2 3600 (
20250804122221 20250705122221 44679 example.com.
gOVYSFEU+F6oApb4xEFAhj77VI8XGhVxwiU+
LzVySfD/j6yL1kCGOez/f/c4jxxZzCP36ztB
MLejT6A/fuSfGVIRRsjkQ+2AK+p3z0wiSyYL
zSMeDgiQqjh5JwQ+CaR/lAa2+AzQG6goe76k
3ZQbda6E/4EK733jA2Ahh3Afl5YUJH3yqvDo
ZtVavZxd+Jo1c7FQBKn24NotXDjqewaCZ3XX
TxmmFSBzdy1Vv3PpnapF4FzLvnWqsTbR6v/Z
JQPqKvxGjUDc5ETp+aOG59JkzSE9vPj/bGZQ
OiQhUQ0VL4iDpyiN98+y8oQ3Tvp9Lh7KNwRW
beC9Lgf8CFxNg5BgUw== )
3600 NS ns1.example.com.
3600 RRSIG NS 8 2 3600 (
20250804122221 20250705122221 44679 example.com.
IdGBtB2RUyTEcpxxCoVqa6XKyYaMgyGaZhp3
dj31FNV7xyH2xLM7j9d5A8qr1ORMLm31UCB/
0tLcxndqFcH0gXipxm78rppEFGiLSNPEDs1q
8owr+zzjJ2Dtkf5Sg008BmDrAMFMHlvHQ2E0
Ij8wjdRz11NDVkdwkW/MPMp1B1RSTLZujXx3
2LQXMs1RQcrc4Nk70juyl8UNe2nUOJuEO6SV
2Y8YtDqCdWa2bgmrncm7OE+SJ79UZOG6gsu/
688V39AaN/IMK57Ua59aeN6C7bZQ3D8YWKo5
IDS+Mza+jAeydQpjFEZSBC5Z9sGReIpPRyPg
3euahyjMhnx5DWkZUg== )
3600 A 127.0.0.1
3600 RRSIG A 8 2 3600 (
20250804122221 20250705122221 44679 example.com.
mJ1Ma0CgANegpwh4Ox6wIxxMiO/W99PLE66w
mteJCTiJWdoNjiQsaK8CPpaehP+ttF4WazDs
0DNaZUzRBiaWtLa5PIJGRYlfHB/gWkWRy3Oq
3HeaVRU0i59GW0/cCt4oJsJF3KPziFLIdmUU
Ge9GA7x17m+Fyp/BDo6EfPsYgOZlMY+GBofC
DfxsZzgPhI6+MN6uLkDLrmwtuZ9KS3lIu4I5
tdIx9PLRteH1CEEAhUAHq0wFAs39TQs2uB27
TiHzqTjfergtPyZYHWc7Swry3JahKLcQw0kB
n+4q1tbb8ktOZqUszrFMt+xKzi948rkFJswU
DFID+NQzpSNRGtOzaw== )
600 NSEC ns1.example.com. A NS SOA RRSIG NSEC DNSKEY
600 RRSIG NSEC 8 2 600 (
20250804122221 20250705122221 44679 example.com.
kYFu3pdpBfI+7CITOXdKULrwCpbmVQlO+jC/
sNPcdDSNuInm8cq5UVy05/vV0FxPSJEhY1qr
38FQbYl9CAI0EuIDvlwhadlO6kli4A4QVlER
TB6diBOOHV00eyUYOwg/gNYDKaKGdh1msAhV
QnvIScf9Z5QgCglnA+vOuVngGM8u4jNQjUTf
vReOgqr4ZoWfFommJHVMzbtM8gHVabPw4ExB
hoAeqe4o4ZPPReBWh75ounOUXMhrIS48YJ5/
/X6K54m7tAKEHL7yQ21sM5OELNWe+CqXnYcK
Bq6NjYPRr+aNwqpIQ+SmsIGhE9CBbrwgka39
JpLv3QxzY+CUNaJJmA== )
3600 DNSKEY 256 3 8 (
AwEAAacgSZiqG1VQeDSaRGKlCLGOOg2cB+O3
WAgwkF+KhidndsG1/IfcHcPKJ4UqYKReQYqn
ydLihAcfzsLD2uRZGEUaLk8V7T9gaFqavmUV
gSbLJ/h+2e2Z+wTDVcmaTImGguXjKlg0/Teh
5w/H2uoU8fJgvub4U0++gOxROK+W7pB+PEV1
HyCYeIdYqRtrBm8mv58EyNtkiXZ2acIQ6Wp6
p9S4uM4B/3Ist5LXZFcQ/t3IKdO5kjtj6MKw
7+0HsoGt7UcmBjt68B8T7GxfLMo+xTQqVsBW
0zlEuu6KMpD8Vd0YXrzjhU49UkR+JqW7rzWu
EWP3pD6VMHG7mbgYl9FAK/U=
) ; ZSK; alg = RSASHA256 ; key id = 44679
3600 RRSIG DNSKEY 8 2 3600 (
20250804122221 20250705122221 44679 example.com.
GRds9ebVM8g6n6GqswPoiaEV5xK+2DcxSXZG
qgLwu8eSakGAoZQkjdZ983NhL1cGDfk5q7pL
dvxpnCNZ4tzg7AKKfXr2BEqIGt7Xo9KLtKt0
SdsF5RioWyL3iRGjeFbaqxK5G2Dy1CCQD7DJ
KHvmv+pfnp1ls3i6xKNRjXsVrNPF1iEyivt8
l5NF1AsaHOfk/PIMrlpihzFBxM2A9S8XXwn7
j6KYm15FWl9RmU2y5akzPTNtVJPVFbVJ0OcD
DNIuNd4kzF8IWY3zigrfhuH3xPzGAhop30PH
r9ANnTASD7gzcVPGjkyfSXaxOBVKTtK/cmpP
/IK+CLaM1iL3fOfHyA== )
ns1.example.com. 3600 IN A 127.0.0.1
3600 RRSIG A 8 3 3600 (
20250804122221 20250705122221 44679 example.com.
jTuSieMy/0Faveu9ODXYAZ8NTIZqo1zJ//IC
syNX3Fs908G+sUqyZNnH0JHEC5cJQvfj0OEk
Mx8aW7PkyO7gKSraUDHs5F8fws0WNNueY+Oe
Zi6H6NA1l99wUxKLcaakzFZj6XgKYCLwSO1J
yyQrPb9Zs6FNkx+GaaeRbKq7xHeK/bMTMggt
7P3hhsFfYIj4KI0hgP23Jomc+OePZe6eDHee
WUHpod5TnLDXOri7IkLLuHxUsLo9Xnjp9FF5
HJcCvx1/XRip6D1kJqZ0x6w1kTEaA0E5YfF0
6uVfxB5kjmiN40EoFdpvfylRDZVQPPey214e
MTkvp3IOwDgqb8yMrQ== )
600 NSEC example.com. A RRSIG NSEC
600 RRSIG NSEC 8 3 600 (
20250804122221 20250705122221 44679 example.com.
KmGYCG01vI2SFsbP6NhXTyDWEzr08MF7Qiy9
TmqK5gL4cTwwIMhsAUWJG3YXMKGiotpMBsW5
kvso3od/+fisEGrDA9ik4higHwTZY+aocX1O
DLUTqNaVQ/KJ/vHO96jtFb8lkvyfuFO+K/tY
GXj+sd6Ol3sdRyUkAU17GRpchLgAjFGWImX8
s5WXfWDpmCVMSy7ORQxX6qfUhuqSIGcKjGbi
o1Uw1n4D7LxRSqbKgLD5i+YVPyUjOipdTzZm
c+X6qfUF5lf1bXuJbto8MSORwUGyA9jbG64H
mV8xPAV3lI627RNCOretwtAl2sRMr2c15XAy
M8NLrOtLjl6xBCKe4A== )
[user@host ~/pkcs11]$
See the
dnssec-signzone(1)
manpage for more details on its usage.
Verify the signed zone's data
Though the signed zone's data is automatically verified as part of the
signing process, we can explicitly verify the signed zone's data to
check that it is signed properly using the
dnssec-verify
program:
[user@host ~/pkcs11]$ dnssec-verify -z -o example.com example.com.db.signed
Loading zone 'example.com' from file 'example.com.db.signed'
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 0 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
[user@host ~/pkcs11]$
See the
dnssec-verify(1)
manpage for more details on its usage.
This ends the example.