BIND 9.10.0b1 is now available

Evan Hunt each at isc.org
Mon Mar 17 17:51:33 UTC 2014 

> | Has anyone tried this yet? - either using SoftHSM or a Thales HSM?
> | 
> | I have access to a totally unconfigured Thales netShield Connect 500.
> | 
> | Without reading *all* the manuals - anyone have a HowTo setup to make
> | one of these beasties talk PKCS#11...  a Goto page XX is acceptable..
> 
> For the FreeBSD port for 9.10 that I'm currently writing (as the beta comes
> out) it seems you can only build it either with openssl or with
> native-pkcs11, which is a bit strange.

Well, it's kinda the point: Our previous pkcs11 support required you to
patch and build a local version of openssl with code that was originally
contributed by the OpenSolaris project and has been maintained for the past
few years by ISC, but has never been accepted into upstream openssl. Every
crypto function used by BIND would be sent to this alterate openssl, which
would then translate the call into pkcs11 primiitives and send them to the
HSM.

This new code uses pkcs11 for all crypto, instead of using openssl as a
shim.  So yes, you can build with either native pkcs11 or openssl, but
not both.

(The advantage of the openssl version is it can fill in functional gaps
when your HSM doesn't supply *all* the pkcs11 functions.  Some HSMs
don't provide hashing services or random number generation, for example.
If you're using such an HSM then native pkcs11 can't do all crypto things
BIND needs done.)

> As for trying it, no, making it compile is already somewhat a challenge...

I haven't tried it with Thales personally, but one of my colleagues has.
For SoftHSM, you have to build the latest v2 code out of their git
repository; there's no tarball you can download as yet.  Once you've
built it and initialized it according to their instructions, configure
BIND and test it:

  $ configure --enable-native-pkcs11 --with-pkcs11=/path/to/libsofthsm.so
  $ make
  $ cd bin/tests/system
  $ sudo sh ifconfig.sh up
  $ sh run.sh pkcs11

If the test passes, then pkcs11 is working.  It should work the same with
Thales, as long as the HSM is running and the pkcs11 provider library is
accessible.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list