dnssec-keyfromlabel not working with Debian 12 (bookworm)

Ondřej Surý ondrej at isc.org
Mon Dec 4 13:58:49 UTC 2023 

I've added a warning to the KB article now. Thanks for reporting this.

--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 4. 12. 2023, at 14:45, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
> 
> Hi,
> 
> I'll follow your advice ans postpone the use of SoftHSM2 for the time being.
> 
> Anyway, thanks for your help!
> 
> Gérard
> 
> Le 04/12/2023 à 14:31, Ondřej Surý a écrit :
>> Hi,
>> 
>> the guide was written for OpenSSL 1.1.x and tested with that version
>> and the engines support in OpenSSL 3.x is deprecated, so most probably
>> something got broken along the way.
>> 
>> Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal).
>> 
>> There's a new provider for OpenSSL 3.x here:
>> https://github.com/latchset/pkcs11-provider
>> 
>> The catch is that OpenSSL Provider can't really be used with SoftHSM 2,
>> because that SoftHSM2 is itself broken when used with providers:
>> https://github.com/latchset/pkcs11-provider/discussions/68#discussioncomment-3860124
>> 
>> You can try using /usr/lib/x86_64-linux-gnu/libsoftokn3.so <http://libsoftokn3.so/> from libnss3 as PKCS#11 library
>> instead of SoftHSM2, but unless you have a specific reason to use PKCS#11 I would
>> suggest to simply avoid it until the dust settles.
>> 
>> Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user under named
>> runs has to have access to the private key data anyway.
>> 
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>> 
>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>> 
>>> On 4. 12. 2023, at 0:43, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
>>> 
>>> Hi,
>>> 
>>> Weird behavior with /opt/bind9/etc/openssl.cnf.
>>> 
>>> The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine:
>>> 
>>> [openssl_init]
>>> 
>>> engines=engine_section
>>> 
>>> [engine_section]
>>> 
>>> pkcs11 = pkcs11_section
>>> 
>>> [pkcs11_section]
>>> 
>>> engine_id = pkcs11
>>> 
>>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>>> 
>>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>>> 
>>> init = 0
>>> 
>>> For example, dig is not working with environment variable OPENSSL_CONF:
>>> 
>>> $ dig www.internet.nl +short
>>> 04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure)
>>> 04-Dec-2023 00:39:24.280 error:03000096:digital envelope routines::operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
>>> dig: dst_lib_init: crypto failure
>>> 
>>> It works if OPENSSL_CONF is undefined:
>>> 
>>> $ OPENSSL_CONF= dig www.internet.nl +short
>>> proloprod.internet.nl.
>>> 62.204.66.10
>>> 
>>> Issue seems wider than only relative to dnssec-keyfromlabel.
>>> 
>>> Gérard
>>> 
>>> Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
>>>> Hi,
>>>> 
>>>> I used this tutorial as reference to setup DNSSEC with SoftHSM2:
>>>> https://kb.isc.org/docs/bind-9-pkcs11
>>>> 
>>>> I installed the Debian package instead of building libp11:
>>>> libengine-pkcs11-openssl:amd64        0.4.12-0.1
>>>> 
>>>> It works until reaching this command:
>>>> $ dnssec-keyfromlabel \
>>>> -E pkcs11 \
>>>> -a RSASHA256 \
>>>> -l "token=bind9object=example.net-ksk" \
>>>> -f KSK example.net
>>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>>> 
>>>> Trying directly from OpenSSL works:
>>>> $ openssl pkey \
>>>> -in "pkcs11:token=bind9;object=example.net-ksk" \
>>>> -inform ENGINE \
>>>> -engine pkcs11 \
>>>> -text \
>>>> -pubin
>>>> Engine "pkcs11" set.
>>>> -----BEGIN PUBLIC KEY-----
>>>> MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J
>>>> ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5
>>>> hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d
>>>> V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB
>>>> AAE=
>>>> -----END PUBLIC KEY-----
>>>> RSA Public-Key: (1280 bit)
>>>> Modulus:
>>>>     00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca:
>>>>     05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c:
>>>>     90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14:
>>>>     10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22:
>>>>     e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26:
>>>>     ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07:
>>>>     d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf:
>>>>     6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c:
>>>>     9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04:
>>>>     0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95:
>>>>     80:35:d5:11:b5:44:6a:ec:45:22:67
>>>> Exponent: 65537 (0x10001)
>>>> 
>>>> Debian 12 (bookworm) use OpenSSL version 3:
>>>> libssl3:amd64                         3.0.11-1~deb12u2
>>>> openssl                               3.0.11-1~deb12u2
>>>> 
>>>> Installed BIND9 packages:
>>>> bind9                                 1:9.18.19-1~deb12u1
>>>> bind9-utils                           1:9.18.19-1~deb12u1
>>>> bind9-dnsutils                        1:9.18.19-1~deb12u1
>>>> bind9-doc                             1:9.18.19-1~deb12u1
>>>> bind9-libs:amd64                      1:9.18.19-1~deb12u1
>>>> bind9-host                            1:9.18.19-1~deb12u1
>>>> 
>>>> $ dnssec-keyfromlabel -V
>>>> dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian
>>>> 
>>>> [pkcs11_section]
>>>> engine_id = pkcs11
>>>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>>>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>>>> init = 0
>>>> 
>>>> strace file:
>>>> https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656
>>>> fuZR3ArX
>>>> 
>>>> It seems to be an API problem or maybe I missed something ?
>>>> 
>>>> Gérard
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list