NShield ISC BIND DNSSEC UNIX Ig

www. t h a les-esec ur it y .
c o m
Thales e-Security
ISCBIND DNSSEC
Integration Guide
Version: 2.0
Date: 03 July 2014
Copyright 2014 Thales UK Limited. All rights reserved.
Copyright in this document is the property of Thales UK Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic
means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party
without the prior written permission of Thales UK Limited neither shall it be used otherwise than for the
purpose for which it is supplied.
Words and logos marked with or are trademarks of Thales UK Limited or its affiliates in the EU
and other countries.
Information in this document is subject to change without notice.
Thales UK Limited makes no warranty of any kind with regard to this information, including, but not
limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales UK
Limited shall not be liable for errors contained herein or for incidental or consequential damages
concerned with the furnishing, performance or use of this material.
ISCBIND DNSSEC Integration Guide
Contents
Chapter 1: Introduction
Product configurations
Supported Thales functionality
Requirements
This guide
More information
Chapter 2: Procedures
Installing the HSM
Installing the software
Installing and configuring OpenSSLand BIND
To configure OpenSSL:
To configure and verify BIND:
Signing a zone using the HSM
10
Creating an example zone file
10
Generating the Key Signing Key (KSK) and Zone Signing Key (ZSK)
12
Generating the KSK
13
Generating the ZSK
15
Signing the zone
16
Verifying DNSSEC
17
Chapter 3: Troubleshooting
19
Internet addresses
21
The Domain Name Service (DNS) is the backbone of the Internet. It is a global address book for
computers, and resolves Website addresses to specific IP addresses, enabling computers across the
Internet to exchange information, such as Web pages and files.
However, DNS is vulnerable to attack. For example, an attacker can interfere with DNS responses,
redirecting data to their own computers for malicious gain. The Domain Name Service Security
Extension (DNSSEC) is an extension to DNS that addresses this problem. DNSSEC uses Public Key
Infrastructure (PKI) techniques to validate the DNS lookup response and so maintain the integrity of
the DNS address book.
For DNSSEC to function properly, it is essential that private keys, the Zone Signing Key and Key
Signing Key, are protected. Typically, the DNS server stores these keys in software within the same
DNS appliance. However, this provides only limited security. The only way to properly secure the
private keys is to store them in a Hardware Security Module (HSM).
Note: Throughout this guide, the term HSM refers to nShield Solo modules and nShield Connect
products.
Because the keys never leave the HSM, they are never exposed on the host computer and therefore
not potentially available to an attacker. Also, the HSM is highly resistant to physical tampering.
Product configurations
We have successfully tested the integration of the Thales nShield HSM with the BIND DNS server and
OpenSSL in the following configurations:
Operating System
ISCBIND
version
SUSE Linux Enterprise Server 11

9.9.3-P2
(64-bit)
Red Hat Enterprise Linux 6 (64-bit) 9.9.2-P2
Solaris 10 SPARC
9.8.0-P4
Solaris 10 x86
9.8.0-P4

Solaris 10 SPARC
9.8.0-P2
Thales
version
PCI/PCIe
support
nShield Connect
support
v11.61
Yes
Yes
v11.61
v11.50,
v11.40
v11.50,
v11.40
v11.50
v11.50,
v11.40
v11.50
v11.50
v11.50,
v11.40
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Operating System
ISCBIND
version
Solaris 10 x86
9.8.0-P2
Red Hat Enterprise Linux 5 (64-bit) 9.7.3

Red Hat Enterprise Linux 5 (32-bit) 9.7.3
Solaris 10 SPARC
9.7.3
Thales
version
v11.50,
v11.40
v11.50,
v11.40
v11.50,
v11.40
v11.50
PCI/PCIe
support
nShield Connect
support
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Note: Throughout this guide ISCBINDis referred to as BIND.
Supported Thales functionality

Key Generation
Key Management
Key Import
Key Recovery
Yes
Yes
Yes
1-of-N Operator Card Set

K-of-N Operator Card Set
Softcards
Module-only Key
Yes Strict FIPS Support

Yes Load Sharing
Yes Fail Over
Yes
Yes
Yes
Yes
Requirements
Before you begin the integration process:
l
l
Read the Quick Start Guide or User Guide for your HSM.
Read the relevant DNSSEC documentation. We recommend the ISC BIND Administrators
Reference Manual (available online) and DNS and BIND (by Cricket, L. and Albitz, P.; published by
O'Reilly Media; 5th edition, 2006).
You also need to consider the following aspects of HSM administration:

l
l
l
l
l
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the
policy for managing these cards.
The kind of key protection to be used and, if relevant, the number and quorum of Operator Cards
in the OCS, and the policy for managing these cards.
Whether the security world must be compliant with FIPS 140-2 level 3.
Key attributes such as the key size, persistence, and time-out.
Whether there is any need for auditing key usage.
We recommend that you back up your security world whenever you create a new key. This is good
practice in all situations.
This guide
This guide describes how to store private DNSSEC keys within Thales nShield HSMS, and how to
integrate these HSMs with the Internet Systems Consortium (ISC) BIND DNS server and OpenSSL.
This guide does not give a detailed explanation of the protocol, but does provide references to
sources that give a more in depth explanation of DNSSEC and BIND.
More information
More information
l
l
l
l
For more information about HSMs, see the User Guide for the HSM.
Additional documentation produced to support your Thales HSM product is in the document
directory of the CD-ROM or DVD-ROM for that product.
For more information about OS support, contact your sales representative or Thales Support.
For more information about contacting Thales, see Internet addresses on page 21.
Integration procedures include:
l
l
l
l
Installing the HSM

Installing the Security World Software and configuring the security world
Installing and configuring OpenSSL and BIND
This chapter describes these procedures.
Installing the HSM

Install the HSM by following the instructions in the Quick Start Guide or Hardware Installation Guide
for the HSM.
We recommend that you install the HSM before configuring the Security World Software with your
Apache HTTP Server.
Installing the software

Note: We recommend that you uninstall any existing Thales software before installing the new
software.
To install the Thales software and create the security world:
1. Install the latest version of the Security World Software with the PKCS #11 components selected,
as described in the User Guide for the HSM.
2. Export the PATH environment variable to point to the /opt/nfast/bin directory:
# export PATH=/opt/nfast/bin:$PATH
3. Create a security world if there is not already one present. For more information, see the User
Guide. To verify that a security world exists, run the following command:
# nfkmcheck
4. Open the file named cknfastrc in the directory where the Thales software is installed. The
default directory is /opt/nfast.
Note: You may need to create the cknfastrc file if it does not exist.
If you are using OCS protection, add the following environment variables:
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_USE_THREAD_UPCALLS=1
Create the OCS as described in the User Guide for the HSM. Ensure that your OCS pass
phrase has a minimum of eight alphanumeric characters.
l
If you are using softcard protection, add the following environment variables:
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_LOADSHARING=1
CKNFAST_CARDSET_HASH=<softcard_hash>
Create the softcard as described in the User Guide for the HSM, then run the utility ppmk -list and enter the hash provided for the softcard that you want to use. Ensure that your
softcard pass phrase has a minimum of eight alphanumeric characters.
l
If you are using module-only protection, add the following environment variables:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
5. Export the LD_LIBRARY_PATH environment variable to point to the Thales PKCS #11 library, by
running the following command:
# export LD_LIBRARY_PATH=/opt/nfast/toolkits/pkcs11/:$LD_LIBRARY_PATH
Installing and configuring OpenSSLand BIND

1. Download and unzip openssl-0.9.8x.tar.gz from http://www.openssl.org/source/
2. Download and unzip bind-9.9.3-P2.tar.gz from http://www.isc.org/software/downloads
Note: In the following example, OpenSSL and BIND are unzipped in the /opt/ directory. If you unzip
OpenSSL and BIND in a different directory, adjust the steps as necessary.
To configure OpenSSL:
1. Patch OpenSSL source for PKCS#11 support by running the following commands:
# cd /opt/openssl-0.9.8x
# patch -p1 < /opt/bind-9.9.3-P2/bin/pkcs11/openssl-0.9.8x-patch

2. For Solaris 10 SPARC, export the following PATH environment variable:
# export
PATH=/usr/ccs/bin:/usr/local/ssl:/usr/local/ssl/bin:/usr/sfw/bin:/usr/local/bin:$PATH
3. Configure OpenSSL to build correctly by running the following commands:
# ./Configure linux-generic64 -m64 -pthread --pk11libname=/opt/nfast/toolkits/pkcs11/libcknfast.so --pk11-flavor=crypto-accelerator -prefix=/opt/openssl-pkcs11

# make
# make install
Note: The pk11 options are only available after installing the patch in step 1.
In the above configure command:
l
l
l
must be set to crypto-accelerator.

--pk11-libname must point to the Thales PKCS #11 library.
--prefix is the location where you want to install this version of OpenSSL.
--pk11-flavor
Note: If you are using Solaris 10 SPARC, replace linux-generic64 -m64 with solaris64sparcv9-gcc.
If you are using a 32-bit architecture, replace both instances of 64 with 32.

1. Set the EXT_CFLAGS environment variable by running the following command:
# export EXT_CFLAGS=-pthread
2. Configure BIND with PKCS #11 support by running the following commands:
# cd /opt/bind-9.9.3-P2
# ./configure CC="gcc -m64" --enable-threads --with-openssl=/opt/openssl-pkcs11/ --withpkcs11=/opt/nfast/toolkits/pkcs11/libcknfast.so
# make
# make install
In the configure command:

l
--with-openssl must point to the openssl directory specified in Installing and configuring
OpenSSL and BIND on page 7.
--with-pkcs11 must point to the Thales PKCS #11 library (the LD_LIBRARY_PATH environment
variable set in Installing the software on page 6).
Note: If you are using a 32-bit architecture, replace 64 with 32.
3. To verify the installation, export the installed OpenSSL path and confirm that OpenSSL is
configured with PKCS #11 support:
# export PATH=/opt/openssl-pkcs11/bin/:$PATH
# openssl engine pkcs11 -t
The output should be as follows:
(pkcs11) PKCS #11 engine support (crypto accelerator)

[ available ]

This section creates an example zone file to demonstrate static zone signing using the HSM. Dynamic
zone updates are automatically signed when submitted to named when dynamic DNSSEC is
configured in the zone.
Note: This guide uses the default BIND working directory /var/named/chroot/var/named for the zone
and key files. This path may vary for different machine configurations.

1. Navigate to the working directory:
# cd /var/named/chroot/var/named
2. Create an example zone file called master.thales-bindtest.org using the following as an

example:
; ; Example zone fragment for thales-bindtest.org

$TTL 2d ; default TTL is 2 days
$ORIGIN thales-bindtest.org.
@
IN
SOA
dc1.thales-bindtest.org. admin.thales-bindtest.org. (
1
; serial number
1M
; refresh = 1 minute
15M
; update retry = 15 minutes
3W12h
; expiry = 3 weeks + 12 hours
2h20M
; minimum = 2 hours + 20 minutes
)
; Main domain name servers
IN
NS
dc1.thales-bindtest.org.
; A records for name servers above
dc1
IN
A
10.88.162.45
3. Edit the /etc/named.conf file:
10
Ensure directory paths in /etc/named.conf file point to the /var/named/chroot/var/named

directory.
Add the zone information as follows:
zone "thales-bindtest.org" in {
type master;
file "master.thales-bindtest.org";
};
4. Verify the named.conf file:
# named-checkconf /etc/named.conf
5. Verify the BIND version:
# named -v
This should display the version:
BIND 9.9.3-P2 (Extended Support Version)
6. Restart BIND:
# service named stop

# named
Note: The procedure for restarting BIND might vary for different machine configurations. This
procedure is given as an example.
7. Verify that BIND has successfully restarted:
# rndc status
Ensure that the output of rndc status displays the BIND version of 9.9.3-P2.
For more information on the rndc utility and BIND, see the ISC BIND Administrators Reference
Manual.
8. Use the DNS look-up utility dig to confirm that DNSSEC is not enabled by confirming an absence
of Resource Record Signature (RRSIG) records in the query response:
11
# dig +dnssec +multiline dc1.thales-bindtest.org @<IP address>
For example:
; <<>> DiG 9.9.3-P2 <<>> +dnssec +multiline dc1.thales-bindtest.org @10.88.162.45

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63737
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dc1.thales-bindtest.org. IN A
;; ANSWER SECTION:
dc1.thales-bindtest.org. 172800
;; AUTHORITY SECTION:
thales-bindtest.org.
;;
;;
;;
;;
IN A 10.88.162.45
172800 IN NS dc1.thales-bindtest.org.
Query time: 22 msec

SERVER: 10.88.162.45#53(10.88.162.45)
WHEN: Wed Oct 16 14:42:29 IST 2013
MSG SIZE rcvd: 82
Generating the Key Signing Key (KSK) and Zone Signing Key (ZSK)
This section describes how to create the KSK and ZSK. The BIND tool pkcs11-keygen generates the
keys in the security world. The tool dnssec-keyfromlabel then creates two key files that represent the
key. These key files have the following format:
l
K<domainname>.<algorithm_id>.<key_id>.key
K<domainname>.<algorithm_id>.<key_id>.private
This example uses the default algorithm of RSASHA1 with 2048 bits for the KSK and ZSK.
Note: If you are in a Strict FIPS security world, you must provide your OCS or ACS for Strict FIPS
authentication before you run the BIND commands described in the following sections. We
recommend that you use your OCS rather than your ACS for security reasons.
If you have a K-of-N card set with K greater than 1, you must include the preload command
specifying the card set name in each of the BIND commands in the following steps, and use
761406613 as the slot ID where a slot ID is required.
12
Generating the KSK
Generating the KSK

To generate the KSK:
1. Navigate to the working directory which contains the zone file:
# cd /var/named/chroot/var/named
2. To generate the KSK:

l With 1-of-N OCS protection:
# pkcs11-keygen -b 2048 -l thales-bindtest-KSK -s 492971158
With K-of-N OCS protection:
# preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-keygen -b

2048 -l thales-bindtest-KSK -s 761406613
With softcard protection:
# ppmk --preload <softcard_name> pkcs11-keygen -b 2048 -l thales-bindtest-KSK -s

761406613
Note: ppmk preload <softcard_name> is required if you are in a Strict FIPS security world
with more than one module. To find the softcard name run the ppmk --list command.
l
With module protection:
# pkcs11-keygen -b 2048 -l thales-bindtest-KSK -s 492971157
3. When prompted, enter your pass phrase. For module protection, press Return.
A PKCS #11 key is created in the security world and located in the /opt/nfast/kmdata/local
directory.
4. Generate the public and private key files by running the following command. This uses the label
of the key pair stored in the HSM, and constructs a DNS key pair for use by named and dnssecsignzone. The key files are created in the current working directory.
l For 1-of-N OCS, softcard, and module protection:
# dnssec-keyfromlabel -l thales-bindtest-KSK -f KSK thales-bindtest.org
13
For K-of-N OCS protection:
# preload --module=<module_number> --cardset-name=<cardset_name> dnssec-keyfromlabel

-l thales-bindtest-KSK -f KSK thales-bindtest.org
When prompted, enter your pass phrase. For module protection, press Return.
The -f option sets the Secure Entry Point bit, which is required when building a chain of trust.
Note: This guide does not describe the procedure to build a chain of trust. For more
information, see the ISC BIND Administrators Reference Manual.
5. To verify key generation:
l With 1-of-N OCS protected keys:
# pkcs11-list -s 492971158
With K-of-N OCS protected keys:
# preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-list -s

761406613
With softcard protected keys:
# pkcs11-list -s 761406613
With module protected keys:
# pkcs11-list -s 492971157
6. When prompted, enter your pass phrase. For module protection, press Return. The key object
output should include the following two thales-bindtest-KSK entries:
object[0]: handle 1118 class 3 label[19] 'thales-bindtest-KSK' id[0]

object[1]: handle 1119 class 2 label[19] 'thales-bindtest-KSK' id[0]
14
Generating the ZSK
Generating the ZSK

1. To generate the ZSK:
l With 1-of-N OCS protection:
# pkcs11-keygen -b 2048 -l thales-bindtest-ZSK -s 492971158
With K-of-N OCS protection:
# preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-keygen -b

2048 -l thales-bindtestZSK -s 761406613
With softcard protection:
# ppmk --preload <softcard_name> pkcs11-keygen -b 2048 -l thales-bindtest-ZSK -s

761406613
Note: ppmk preload <softcard_name> is required if you are in a Strict FIPS security world
with more than one module. To find the softcard name run the ppmk --list command.
l
With module protection:
# pkcs11-keygen -b 2048 -l thales-bindtest-ZSK -s 492971157
A PKCS #11 key is created in the security world and located in the /opt/nfast/kmdata/local
directory.
3. Generate the public and private key files by running the following command. This uses the label
of the key pair stored in the HSM, and constructs a DNS key pair for use by named and dnssecsignzone. The key files are created in the current working directory.
# dnssec-keyfromlabel -l thales-bindtest-ZSK thales-bindtest.org
# preload --module=<module_number> --cardset-name=<cardset_name> dnssec-keyfromlabel

-l thales-bindtest-ZSK thales-bindtest.org
15
5. To verify key generation:
l With 1-of-N OCS protected keys:
# pkcs11-list -s 492971158
With K-of-N OCS protected keys:
# preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-list -s

761406613
With softcard protected keys:
# pkcs11-list -s 761406613
With module protected keys:
# pkcs11-list -s 492971157
6. When prompted, enter your pass phrase. For module protection, press Return. The key object
output should include the following two thales-bindtest-ZSK entries:
object[2]: handle 1120 class 3 label[19] 'thales-bindtest-ZSK' id[0]

object[3]: handle 1121 class 2 label[19] 'thales-bindtest-ZSK' id[0]
Signing the zone

Use the keys that you have generated to sign the zone. In this example, the keys are in the working
directory with the example zone file. The Smart Signing feature (-S) is used to sign the zone. This
removes the need to specify key information in the zone file or specify the correct keys to be used for
zone signing.
1. To sign the zone:
# dnssec-signzone -n1 -S -o thales-bindtest.org master.thales-bindtest.org
16
Verifying DNSSEC
# preload --module=<module_number> --cardset-name=<cardset_name> dnssec-signzone -n1

-S -o thalesbindtest.org master.thales-bindtest.org
A signed zone file is created in the working directory.
3. Edit the /etc/named.conf file to include the zone information for the signed zone:
zone "thales-bindtest.org" in {
type master;
file "master.thales-bindtest.org.signed";
};
4. In the options section of the file, add the following to enable DNSSEC:
dnssec-enable yes;
5. Restart BIND:
# rndc stop
# named
Note: This guide does not cover the procedure for automatic zone signing or automatic key
rollover. For more information, see the ISC BIND Administrators Reference Manual.
Verifying DNSSEC
Use the DNS look-up utility dig to verify DNSSEC:
# dig +dnssec +multiline dc1.thales-bindtest.org @<IP address>
The output should include RRSIG records in the query response. For example:
17
; <<>> DiG 9.9.3-P2 <<>> +dnssec +multiline dc1.thales-bindtest.org @10.88.162.45

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dc1.thales-bindtest.org. IN A
;; ANSWER SECTION:
dc1.thales-bindtest.org. 172800 IN A 10.88.162.45
dc1.thales-bindtest.org. 172800 IN RRSIG A 5 3 172800 (
20131115082223 20131016082223 19120
gLOew0clW3FuX3XY4wL5NocU7kABllFOtrU9E5prt1i2
lhfye/diA4wiwX5vmKsEys1NMWxazG22oXtvErOl+KqC
gMO0tVLI9hI5MRRLpwjVOwoC+O9KEqY13lcpctiArVMZ
d5040RnLhm2/xlYWEIOUr9vTHIJB3nOdiZdtRqfxANN3
XdG7/W3ieHTw9YmYLL9eSOVB7Vxc60cRcc07vTpgByDd
1nEYWpDgSJBx1TTNrn6kfHFFNG9w12lM8D4OlKGgNRP3
FEALVKp9UmvoU5NfXDh4vOPflqCQGnZOgwKA77P9EFfa
jyVD1lnPsvhTvwBgXgjhtYF8SNIn3IRjYw== )
;; AUTHORITY SECTION:
;;
;;
;;
;;
172800 IN NS dc1.thales-bindtest.org.
172800 IN RRSIG
NS 5 2 172800 (
20131115082223 20131016082223 19120
S+zWGr7tA4ncJNw9J/Y3GyJfBaGT2m3ssrBX+x9b6l/5
O5Oxq7xXuJfqovfgDL1ZaRsvSCbPt1cQYZbVgw+mlLWo
gQOpRuiCGHI/Cay+0ogBR76axezwYJT0Zttk9BwABP4x
6ecqKuyWSBD43vVFATmy9cDYTgIz8JPlRTar6VuWisWl
BqaEtBwrHC+5InBW4iJ9pCOfxYgjQ7X0ldmrKuqn6zAk
VkGGm8t2WCv2vdTqUYFrHZrpHeoqHZSXO3g+9u3/OPOL
HnNtXnMIEKj19XUzyzPAHvwB545KMs+hl5099GwAsoZB
DmhIzkEMq5CAoA6LUodyUsh2QSQfuWkY2Q== )
Query time: 0 msec

SERVER: 10.88.162.45#53(10.88.162.45)
WHEN: Wed Oct 16 14:55:45 IST 2013
MSG SIZE rcvd: 696
18
The following table lists error messages that might be displayed during the procedures described in
this guide.
Error message
Resolution
Ensure the correct slot ID is specified. For
OCS protection:
1-of-N: -s 492971158
Wrong slot ID
C_OpenSession: Error =
K-of-N: -s 761406613
specified or OCS
0x00000003
Ensure the OCS is inserted correctly in
not in slot.
the card reader.
For softcard protection use -s 761406613.
For module protection use -s 492971157.
Incorrect card inserted into the slot.
C_OpenSession: Error =
Token not
Ensure that the correct OCS from security
0x000000E1
recognized.
world is inserted correctly in the card
reader.
Ensure the correct PIN is entered when
Incorrect PIN, or
requested. Ensure the correct
Login: Error = 0x000000A0
environment
environment variables are set (see
variables not set.
Installing the software on page 7).
Ensure a usable security world is in place
Security world
and the module is in Operational mode.
unusable, or
Ensure the correct environment variables
C_Initialize: Error = 0x00000006
environment
are set (see Installing the software on
variables not set.
page 7). Ensure the hardserver is
running.
If in a Strict FIPS security world, ensure
C_GenerateKeyPair: Error =
FIPS Authentication
that an OCS/ACS is inserted into the
0x800000E0
required.
module slot for FIPS authentication.
Generate KSK and ZSK as described in
No KSK or ZSK in
dnssec-signzone: fatal: No
Generating the Key Signing Key (KSK)
the working
signing keys specified or found
and Zone Signing Key (ZSK) on page 12,
directory.
and attempt to re-sign the zone.
Ensure a usable security world is in place
and the module is in Operational mode.
dnssec-signzone: fatal: could
Security world is
Ensure the hardserver is running. Ensure
not initialize dst: no engine
unusable.
PKCS #11 engine support is available by
running: # openssl engine pkcs11 -t
Cause
19
Error message
Cause
Resolution
This is a problem in BIND, not the Thales
Support Software, so a full resolution must
wait for a new version of BIND with the
issue addressed. In the meantime, the
Certain versions of following procedure is recommended:
BIND (at least up to
1. The security world should always be
dnssec-signzone: warning: dns_
0.9.8) occasionally
backed up when a new key is
dnssec_findmatchingkey s: error
make an erroneous
created. This is good practice in all
reading key file Kthalescall to destroy the
situations, not just with this issue. To
bindtest.org.+005+59653.pr
PKCS #11 private
back up the security world, make a
ivate: not found dnsseckey object after
copy of /opt/nfast/kmdata/local.
signzone: warning: dns_dnssec_
signing a zone.
2.
If the issue occurs, run pkcs11-list
findmatchingkey s: error
Destroying the
s <slot_number> which will indicate
reading key file Kthalesprivate key makes it
that the most recently generated key
bindtest.org.+005+55268.pr
permanently
object is missing.
ivate: not found dnssecunavailable for use, 3. Restore the security world from
signzone: fatal: No signing
and all subsequent
backup. Either the single key file
keys specified or found.
attempts to sign will
identified by pkcs11-list or the
fail.
entire /opt/nfast/kmdata/local may
be restored.
4. Run pkcs11-list again which should
display an extra key object.
5. Attempt to sign the zone.
20
Internet addresses
Web site:
http://www.thales-esecurity.com/
Support:
http://www.thales-esecurity.com/support-landing-page
Online documentation:
http://www.thales-esecurity.com/knowledge-base
International sales offices:
http://www.thales-esecurity.com/contact
Addresses and contact information for the main Thales e-Security sales offices are provided at the
bottom of the following page.
21
www. t h a les-esec ur it y . c o m
About Thales e-Security

Thales e-Security is a leading global provider of data encryption and cyber security
solutions to the financial services, high technology manufacturing, government
and technology sectors. With a 40-year track record of protecting corporate and
government information, Thales solutions are used by four of the five largest
energy and aerospace companies, 22 NATO countries, and they secure more than
80 percent of worldwide payment transactions. Thales e-Security has offices in
Australia, France, Hong Kong, Norway, United Kingdom and United States.
For more information, visit www.thales-esecurity.com
Follow us on:

NShield ISC BIND DNSSEC UNIX Ig

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NShield ISC BIND DNSSEC UNIX Ig

Uploaded by

Copyright:

Available Formats

www. t h a les-esec ur it y .

ISCBIND DNSSEC Integration Guide

Supported Thales functionality

Installing the HSM

Installing the software

Installing and configuring OpenSSLand BIND

To configure and verify BIND:

Signing a zone using the HSM

Creating an example zone file

Generating the KSK

Generating the ZSK

Signing the zone

ISCBIND DNSSEC Integration Guide

SUSE Linux Enterprise Server 11

Red Hat Enterprise Linux 5 (64-bit) 9.8.0-P2

ISCBIND DNSSEC Integration Guide

Red Hat Enterprise Linux 5 (64-bit) 9.7.3

Note: Throughout this guide ISCBINDis referred to as BIND.

Supported Thales functionality

1-of-N Operator Card Set

Yes Strict FIPS Support

You also need to consider the following aspects of HSM administration:

ISCBIND DNSSEC Integration Guide

ISCBIND DNSSEC Integration Guide

Installing the HSM

This chapter describes these procedures.

Installing the HSM

Installing the software

ISCBIND DNSSEC Integration Guide

Installing and configuring OpenSSLand BIND

ISCBIND DNSSEC Integration Guide

To configure and verify BIND:

3. Configure OpenSSL to build correctly by running the following commands:

# ./Configure linux-generic64 -m64 -pthread --pk11libname=/opt/nfast/toolkits/pkcs11/libcknfast.so --pk11-flavor=crypto-accelerator -prefix=/opt/openssl-pkcs11

must be set to crypto-accelerator.

To configure and verify BIND:

In the configure command:

Note: If you are using a 32-bit architecture, replace 64 with 32.

ISCBIND DNSSEC Integration Guide

The output should be as follows:

(pkcs11) PKCS #11 engine support (crypto accelerator)

Signing a zone using the HSM

Creating an example zone file

2. Create an example zone file called master.thales-bindtest.org using the following as an

; ; Example zone fragment for thales-bindtest.org

3. Edit the /etc/named.conf file:

ISCBIND DNSSEC Integration Guide

Creating an example zone file

Ensure directory paths in /etc/named.conf file point to the /var/named/chroot/var/named

4. Verify the named.conf file:

5. Verify the BIND version:

This should display the version:

BIND 9.9.3-P2 (Extended Support Version)

# service named stop

ISCBIND DNSSEC Integration Guide

# dig +dnssec +multiline dc1.thales-bindtest.org @<IP address>

; <<>> DiG 9.9.3-P2 <<>> +dnssec +multiline dc1.thales-bindtest.org @10.88.162.45

Query time: 22 msec

ISCBIND DNSSEC Integration Guide

Generating the KSK

Generating the KSK

2. To generate the KSK:

# pkcs11-keygen -b 2048 -l thales-bindtest-KSK -s 492971158