dnssec-keyfromlabel not working with Debian 12 (bookworm)
Gérard Parat
isc.bind at lunique.fr
Sun Dec 3 18:32:34 UTC 2023
Hi,
Sorry for the typo (command is correct in strace file), here is the
unedited log:
$ dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l
"token=bind9;object=example.net-ksk" -f KSK example.net
dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
Gérard
Le 03/12/2023 à 19:06, Ondřej Surý a écrit :
> Hi,
>
> I directly see missing semicolon in the failed command. Please provide full unedited log, so we can be sure that the error was not made when redacting the output.
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 3. 12. 2023, at 18:41, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
>>
>> Hi,
>>
>> I used this tutorial as reference to setup DNSSEC with SoftHSM2:
>> https://kb.isc.org/docs/bind-9-pkcs11
>>
>> I installed the Debian package instead of building libp11:
>> libengine-pkcs11-openssl:amd64 0.4.12-0.1
>>
>> It works until reaching this command:
>> $ dnssec-keyfromlabel \
>> -E pkcs11 \
>> -a RSASHA256 \
>> -l "token=bind9object=example.net-ksk" \
>> -f KSK example.net
>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>
>> Trying directly from OpenSSL works:
>> $ openssl pkey \
>> -in "pkcs11:token=bind9;object=example.net-ksk" \
>> -inform ENGINE \
>> -engine pkcs11 \
>> -text \
>> -pubin
>> Engine "pkcs11" set.
>> -----BEGIN PUBLIC KEY-----
>> MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J
>> ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5
>> hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d
>> V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB
>> AAE=
>> -----END PUBLIC KEY-----
>> RSA Public-Key: (1280 bit)
>> Modulus:
>> 00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca:
>> 05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c:
>> 90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14:
>> 10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22:
>> e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26:
>> ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07:
>> d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf:
>> 6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c:
>> 9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04:
>> 0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95:
>> 80:35:d5:11:b5:44:6a:ec:45:22:67
>> Exponent: 65537 (0x10001)
>>
>> Debian 12 (bookworm) use OpenSSL version 3:
>> libssl3:amd64 3.0.11-1~deb12u2
>> openssl 3.0.11-1~deb12u2
>>
>> Installed BIND9 packages:
>> bind9 1:9.18.19-1~deb12u1
>> bind9-utils 1:9.18.19-1~deb12u1
>> bind9-dnsutils 1:9.18.19-1~deb12u1
>> bind9-doc 1:9.18.19-1~deb12u1
>> bind9-libs:amd64 1:9.18.19-1~deb12u1
>> bind9-host 1:9.18.19-1~deb12u1
>>
>> $ dnssec-keyfromlabel -V
>> dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian
>>
>> [pkcs11_section]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>> init = 0
>>
>> strace file:
>> https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656
>> fuZR3ArX
>>
>> It seems to be an API problem or maybe I missed something ?
>>
>> Gérard
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list