dnssec-keyfromlabel not working with Debian 12 (bookworm)

Ondřej Surý ondrej at isc.org
Mon Dec 4 13:31:13 UTC 2023 

Hi,

the guide was written for OpenSSL 1.1.x and tested with that version
and the engines support in OpenSSL 3.x is deprecated, so most probably
something got broken along the way.

Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal).

There's a new provider for OpenSSL 3.x here:
https://github.com/latchset/pkcs11-provider

The catch is that OpenSSL Provider can't really be used with SoftHSM 2,
because that SoftHSM2 is itself broken when used with providers:
https://github.com/latchset/pkcs11-provider/discussions/68#discussioncomment-3860124

You can try using /usr/lib/x86_64-linux-gnu/libsoftokn3.so <http://libsoftokn3.so/> from libnss3 as PKCS#11 library
instead of SoftHSM2, but unless you have a specific reason to use PKCS#11 I would
suggest to simply avoid it until the dust settles.

Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user under named
runs has to have access to the private key data anyway.

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 4. 12. 2023, at 0:43, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
> 
> Hi,
> 
> Weird behavior with /opt/bind9/etc/openssl.cnf.
> 
> The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine:
> 
> [openssl_init]
> 
> engines=engine_section
> 
> [engine_section]
> 
> pkcs11 = pkcs11_section
> 
> [pkcs11_section]
> 
> engine_id = pkcs11
> 
> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
> 
> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
> 
> init = 0
> 
> For example, dig is not working with environment variable OPENSSL_CONF:
> 
> $ dig www.internet.nl +short
> 04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure)
> 04-Dec-2023 00:39:24.280 error:03000096:digital envelope routines::operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
> dig: dst_lib_init: crypto failure
> 
> It works if OPENSSL_CONF is undefined:
> 
> $ OPENSSL_CONF= dig www.internet.nl +short
> proloprod.internet.nl.
> 62.204.66.10
> 
> Issue seems wider than only relative to dnssec-keyfromlabel.
> 
> Gérard
> 
> Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
>> Hi,
>> 
>> I used this tutorial as reference to setup DNSSEC with SoftHSM2:
>> https://kb.isc.org/docs/bind-9-pkcs11
>> 
>> I installed the Debian package instead of building libp11:
>> libengine-pkcs11-openssl:amd64        0.4.12-0.1
>> 
>> It works until reaching this command:
>> $ dnssec-keyfromlabel \
>> -E pkcs11 \
>> -a RSASHA256 \
>> -l "token=bind9object=example.net-ksk" \
>> -f KSK example.net
>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>> 
>> Trying directly from OpenSSL works:
>> $ openssl pkey \
>> -in "pkcs11:token=bind9;object=example.net-ksk" \
>> -inform ENGINE \
>> -engine pkcs11 \
>> -text \
>> -pubin
>> Engine "pkcs11" set.
>> -----BEGIN PUBLIC KEY-----
>> MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J
>> ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5
>> hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d
>> V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB
>> AAE=
>> -----END PUBLIC KEY-----
>> RSA Public-Key: (1280 bit)
>> Modulus:
>>     00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca:
>>     05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c:
>>     90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14:
>>     10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22:
>>     e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26:
>>     ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07:
>>     d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf:
>>     6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c:
>>     9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04:
>>     0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95:
>>     80:35:d5:11:b5:44:6a:ec:45:22:67
>> Exponent: 65537 (0x10001)
>> 
>> Debian 12 (bookworm) use OpenSSL version 3:
>> libssl3:amd64                         3.0.11-1~deb12u2
>> openssl                               3.0.11-1~deb12u2
>> 
>> Installed BIND9 packages:
>> bind9                                 1:9.18.19-1~deb12u1
>> bind9-utils                           1:9.18.19-1~deb12u1
>> bind9-dnsutils                        1:9.18.19-1~deb12u1
>> bind9-doc                             1:9.18.19-1~deb12u1
>> bind9-libs:amd64                      1:9.18.19-1~deb12u1
>> bind9-host                            1:9.18.19-1~deb12u1
>> 
>> $ dnssec-keyfromlabel -V
>> dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian
>> 
>> [pkcs11_section]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>> init = 0
>> 
>> strace file:
>> https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656
>> fuZR3ArX
>> 
>> It seems to be an API problem or maybe I missed something ?
>> 
>> Gérard
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list