bns-prove: support PKCS 11 for HSM signing

[pinheadmz]

ICANN TLD owners can claim their names on Handshake following the reserved name-claim process. However, TXT records are prohibited in the apex of a TLD zone, so those users will have to use the bns-prove tool to create the DNSSEC proof outside the legacy DNS. The tool currently requires direct access to the ZSK and KSK:

From https://hsd-dev.org/guides/claims.html:

The private keys themselves must be stored in BIND’s private key format (v1.3) and naming convention.

This poses a problem to TLD owners who use secure hardware to sign DNSSEC messages.

One solution could be adding two additional functions to bns-prove:

1. Format the claim TXT record in such a way that HSMs can sign it. This may be unnecessary since the HSM operator likely already has a process in place for signing DNS records with the machine. Formatting the TXT signing request with PKCS11 may refine this process.

2. Combine the signed TXT as returned by the HSM into the root of the DNSSEC proof so the Handshake claim transaction can be completed and submitted to the network.