dnssec-keyfromlabel not working with Debian 12 (bookworm)
Ondřej Surý
ondrej at isc.org
Mon Dec 4 13:58:49 UTC 2023
I've added a warning to the KB article now. Thanks for reporting this.
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 4. 12. 2023, at 14:45, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
>
> Hi,
>
> I'll follow your advice ans postpone the use of SoftHSM2 for the time being.
>
> Anyway, thanks for your help!
>
> Gérard
>
> Le 04/12/2023 à 14:31, Ondřej Surý a écrit :
>> Hi,
>>
>> the guide was written for OpenSSL 1.1.x and tested with that version
>> and the engines support in OpenSSL 3.x is deprecated, so most probably
>> something got broken along the way.
>>
>> Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal).
>>
>> There's a new provider for OpenSSL 3.x here:
>> https://github.com/latchset/pkcs11-provider
>>
>> The catch is that OpenSSL Provider can't really be used with SoftHSM 2,
>> because that SoftHSM2 is itself broken when used with providers:
>> https://github.com/latchset/pkcs11-provider/discussions/68#discussioncomment-3860124
>>
>> You can try using /usr/lib/x86_64-linux-gnu/libsoftokn3.so <http://libsoftokn3.so/> from libnss3 as PKCS#11 library
>> instead of SoftHSM2, but unless you have a specific reason to use PKCS#11 I would
>> suggest to simply avoid it until the dust settles.
>>
>> Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user under named
>> runs has to have access to the private key data anyway.
>>
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>>
>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>>
>>> On 4. 12. 2023, at 0:43, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
>>>
>>> Hi,
>>>
>>> Weird behavior with /opt/bind9/etc/openssl.cnf.
>>>
>>> The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine:
>>>
>>> [openssl_init]
>>>
>>> engines=engine_section
>>>
>>> [engine_section]
>>>
>>> pkcs11 = pkcs11_section
>>>
>>> [pkcs11_section]
>>>
>>> engine_id = pkcs11
>>>
>>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>>>
>>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>>>
>>> init = 0
>>>
>>> For example, dig is not working with environment variable OPENSSL_CONF:
>>>
>>> $ dig www.internet.nl +short
>>> 04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure)
>>> 04-Dec-2023 00:39:24.280 error:03000096:digital envelope routines::operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
>>> dig: dst_lib_init: crypto failure
>>>
>>> It works if OPENSSL_CONF is undefined:
>>>
>>> $ OPENSSL_CONF= dig www.internet.nl +short
>>> proloprod.internet.nl.
>>> 62.204.66.10
>>>
>>> Issue seems wider than only relative to dnssec-keyfromlabel.
>>>
>>> Gérard
>>>
>>> Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
>>>> Hi,
>>>>
>>>> I used this tutorial as reference to setup DNSSEC with SoftHSM2:
>>>> https://kb.isc.org/docs/bind-9-pkcs11
>>>>
>>>> I installed the Debian package instead of building libp11:
>>>> libengine-pkcs11-openssl:amd64 0.4.12-0.1
>>>>
>>>> It works until reaching this command:
>>>> $ dnssec-keyfromlabel \
>>>> -E pkcs11 \
>>>> -a RSASHA256 \
>>>> -l "token=bind9object=example.net-ksk" \
>>>> -f KSK example.net
>>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>>>
>>>> Trying directly from OpenSSL works:
>>>> $ openssl pkey \
>>>> -in "pkcs11:token=bind9;object=example.net-ksk" \
>>>> -inform ENGINE \
>>>> -engine pkcs11 \
>>>> -text \
>>>> -pubin
>>>> Engine "pkcs11" set.
>>>> -----BEGIN PUBLIC KEY-----
>>>> MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J
>>>> ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5
>>>> hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d
>>>> V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB
>>>> AAE=
>>>> -----END PUBLIC KEY-----
>>>> RSA Public-Key: (1280 bit)
>>>> Modulus:
>>>> 00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca:
>>>> 05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c:
>>>> 90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14:
>>>> 10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22:
>>>> e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26:
>>>> ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07:
>>>> d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf:
>>>> 6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c:
>>>> 9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04:
>>>> 0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95:
>>>> 80:35:d5:11:b5:44:6a:ec:45:22:67
>>>> Exponent: 65537 (0x10001)
>>>>
>>>> Debian 12 (bookworm) use OpenSSL version 3:
>>>> libssl3:amd64 3.0.11-1~deb12u2
>>>> openssl 3.0.11-1~deb12u2
>>>>
>>>> Installed BIND9 packages:
>>>> bind9 1:9.18.19-1~deb12u1
>>>> bind9-utils 1:9.18.19-1~deb12u1
>>>> bind9-dnsutils 1:9.18.19-1~deb12u1
>>>> bind9-doc 1:9.18.19-1~deb12u1
>>>> bind9-libs:amd64 1:9.18.19-1~deb12u1
>>>> bind9-host 1:9.18.19-1~deb12u1
>>>>
>>>> $ dnssec-keyfromlabel -V
>>>> dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian
>>>>
>>>> [pkcs11_section]
>>>> engine_id = pkcs11
>>>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>>>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>>>> init = 0
>>>>
>>>> strace file:
>>>> https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656
>>>> fuZR3ArX
>>>>
>>>> It seems to be an API problem or maybe I missed something ?
>>>>
>>>> Gérard
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list