DNSSEC with BIND and native PKCS#11 support (BIND & SoftHSM)
Bind 9.10.0-P1 supports the native PKCS#11 mode, instead of the openssl based PKCS#11. You can either compile it with (
./configure --enable-native-pkcs11 \) or install prebuilt packages.
Upon writing this blog, Fedora 23, has built-in bind-9.10.3-7.P2 and SoftHSM (Software based HSM)
SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface
Install the required packages
dnf install bind-chroot bind-pkcs11 softhsm bind-pkcs11-utils
Initialize the SoftHSM repository
# softhsm2-util --init-token 0 --slot 0 --label softhsm
enter the user and security pin
Generate the keys (Key Signing Key and Zone Signing Key)
You may use the algorithm and key size depends on your requirement.
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_ksk
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_zsk
object: handle 2 class 2 label 'sample_ksk' id
object: handle 3 class 2 label 'sample_ksk' id
object: handle 4 class 3 label 'sample_zsk' id
object: handle 5 class 3 label 'sample_zsk' id
Create a pair of BIND9 key files using dnssec-keyfromlabel-pkcs11 utility, since we are using pkcs#11 backend the label must be pkcs#11 uri format. Don’t know how safe it is to store the pin on the file system, but yes we have to create a text file with the HSM pin. Not sure if the dnssec-keyfromlabel can prompt for the pin.
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -f KSK -l 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' example.com
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -l 'pkcs11:object=sample_zsk;pin-source=/etc/token_pin' example.com
The resulting files can be used to sign the zone, as per the BIND documentation – “Unlike the normal K* files, which contain both public and private key data, these files will contain only the public key data, plus an identifier for the private key which remains stored within the HSM. Signing with the private key takes place inside the HSM.”
Include the keys in zone file or specify the key path on the named configuration.
echo "$INCLUDE Kexample.com.+005+46938.key" >> example.com.zone
echo "$INCLUDE Kexample.com.+005+46939.key" >> example.com.zone
Signing the zones
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
# head example.com.signed
; File written on Mon Jan 18 16:02:19 2016
; dnssec_signzone version 9.10.3-P2-RedHat-9.10.3-7.P2.fc23
Reference: BIND 9 Administrator Reference Manual
4 replies on “DNSSEC with BIND 9.10 and native PKCS#11”
Thanks for your concise, informative blog entry.
Most likely you also had installed bind-pkcs11-utils in order to get the dnssec-*-pkcs11 tools.
Maybe you want to add it as a fourth package in your second paragraph “dnf install … bind-pkcs11-utils”.
Further, it is worth mentioning, that there must not be any trailing (white space) characters after the PIN in /etc/token_pin, e.g. use for example:
# echo -n “1234” > /etc/token_pin
# hexdump /etc/token_pin
0000000 3231 3433
Because otherwise, I ran into the same error as you did:
“pk11.c:649: fatal error: pkcs_C_Login: Error = 0x000000A0”
Thanks! you are right, it was hard to notice the trailing space.
Thanks for the suggestion, updated the post.