Professional Documents
Culture Documents
c o m
Thales e-Security
ISCBIND DNSSEC
Integration Guide
Version: 2.0
Date: 03 July 2014
Copyright 2014 Thales UK Limited. All rights reserved.
Copyright in this document is the property of Thales UK Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic
means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party
without the prior written permission of Thales UK Limited neither shall it be used otherwise than for the
purpose for which it is supplied.
Words and logos marked with or are trademarks of Thales UK Limited or its affiliates in the EU
and other countries.
Information in this document is subject to change without notice.
Thales UK Limited makes no warranty of any kind with regard to this information, including, but not
limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales UK
Limited shall not be liable for errors contained herein or for incidental or consequential damages
concerned with the furnishing, performance or use of this material.
Contents
Chapter 1: Introduction
Product configurations
Requirements
This guide
More information
Chapter 2: Procedures
To configure OpenSSL:
10
10
Generating the Key Signing Key (KSK) and Zone Signing Key (ZSK)
12
13
15
16
Verifying DNSSEC
17
Chapter 3: Troubleshooting
19
Internet addresses
21
Chapter 1: Introduction
Chapter 1: Introduction
The Domain Name Service (DNS) is the backbone of the Internet. It is a global address book for
computers, and resolves Website addresses to specific IP addresses, enabling computers across the
Internet to exchange information, such as Web pages and files.
However, DNS is vulnerable to attack. For example, an attacker can interfere with DNS responses,
redirecting data to their own computers for malicious gain. The Domain Name Service Security
Extension (DNSSEC) is an extension to DNS that addresses this problem. DNSSEC uses Public Key
Infrastructure (PKI) techniques to validate the DNS lookup response and so maintain the integrity of
the DNS address book.
For DNSSEC to function properly, it is essential that private keys, the Zone Signing Key and Key
Signing Key, are protected. Typically, the DNS server stores these keys in software within the same
DNS appliance. However, this provides only limited security. The only way to properly secure the
private keys is to store them in a Hardware Security Module (HSM).
Note: Throughout this guide, the term HSM refers to nShield Solo modules and nShield Connect
products.
Because the keys never leave the HSM, they are never exposed on the host computer and therefore
not potentially available to an attacker. Also, the HSM is highly resistant to physical tampering.
Product configurations
We have successfully tested the integration of the Thales nShield HSM with the BIND DNS server and
OpenSSL in the following configurations:
Operating System
ISCBIND
version
9.8.0-P4
Solaris 10 x86
9.8.0-P4
9.8.0-P2
Thales
version
PCI/PCIe
support
nShield Connect
support
v11.61
Yes
Yes
v11.61
v11.50,
v11.40
v11.50,
v11.40
v11.50
v11.50,
v11.40
v11.50
v11.50
v11.50,
v11.40
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Chapter 1: Introduction
Operating System
ISCBIND
version
Solaris 10 x86
9.8.0-P2
9.7.3
Thales
version
v11.50,
v11.40
v11.50,
v11.40
v11.50,
v11.40
v11.50
PCI/PCIe
support
nShield Connect
support
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Requirements
Before you begin the integration process:
l
l
Read the Quick Start Guide or User Guide for your HSM.
Read the relevant DNSSEC documentation. We recommend the ISC BIND Administrators
Reference Manual (available online) and DNS and BIND (by Cricket, L. and Albitz, P.; published by
O'Reilly Media; 5th edition, 2006).
l
l
l
l
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the
policy for managing these cards.
The kind of key protection to be used and, if relevant, the number and quorum of Operator Cards
in the OCS, and the policy for managing these cards.
Whether the security world must be compliant with FIPS 140-2 level 3.
Key attributes such as the key size, persistence, and time-out.
Whether there is any need for auditing key usage.
We recommend that you back up your security world whenever you create a new key. This is good
practice in all situations.
This guide
This guide describes how to store private DNSSEC keys within Thales nShield HSMS, and how to
integrate these HSMs with the Internet Systems Consortium (ISC) BIND DNS server and OpenSSL.
This guide does not give a detailed explanation of the protocol, but does provide references to
sources that give a more in depth explanation of DNSSEC and BIND.
More information
More information
l
l
l
l
For more information about HSMs, see the User Guide for the HSM.
Additional documentation produced to support your Thales HSM product is in the document
directory of the CD-ROM or DVD-ROM for that product.
For more information about OS support, contact your sales representative or Thales Support.
For more information about contacting Thales, see Internet addresses on page 21.
Chapter 2: Procedures
Chapter 2: Procedures
Integration procedures include:
l
l
l
l
# export PATH=/opt/nfast/bin:$PATH
3. Create a security world if there is not already one present. For more information, see the User
Guide. To verify that a security world exists, run the following command:
# nfkmcheck
4. Open the file named cknfastrc in the directory where the Thales software is installed. The
default directory is /opt/nfast.
Note: You may need to create the cknfastrc file if it does not exist.
Chapter 2: Procedures
If you are using OCS protection, add the following environment variables:
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_USE_THREAD_UPCALLS=1
Create the OCS as described in the User Guide for the HSM. Ensure that your OCS pass
phrase has a minimum of eight alphanumeric characters.
l
If you are using softcard protection, add the following environment variables:
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_LOADSHARING=1
CKNFAST_CARDSET_HASH=<softcard_hash>
CKNFAST_USE_THREAD_UPCALLS=1
Create the softcard as described in the User Guide for the HSM, then run the utility ppmk -list and enter the hash provided for the softcard that you want to use. Ensure that your
softcard pass phrase has a minimum of eight alphanumeric characters.
l
If you are using module-only protection, add the following environment variables:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
CKNFAST_USE_THREAD_UPCALLS=1
5. Export the LD_LIBRARY_PATH environment variable to point to the Thales PKCS #11 library, by
running the following command:
# export LD_LIBRARY_PATH=/opt/nfast/toolkits/pkcs11/:$LD_LIBRARY_PATH
To configure OpenSSL:
1. Patch OpenSSL source for PKCS#11 support by running the following commands:
# cd /opt/openssl-0.9.8x
# patch -p1 < /opt/bind-9.9.3-P2/bin/pkcs11/openssl-0.9.8x-patch
# export
PATH=/usr/ccs/bin:/usr/local/ssl:/usr/local/ssl/bin:/usr/sfw/bin:/usr/local/bin:$PATH
Note: The pk11 options are only available after installing the patch in step 1.
In the above configure command:
l
l
l
Note: If you are using Solaris 10 SPARC, replace linux-generic64 -m64 with solaris64sparcv9-gcc.
If you are using a 32-bit architecture, replace both instances of 64 with 32.
# export EXT_CFLAGS=-pthread
2. Configure BIND with PKCS #11 support by running the following commands:
# cd /opt/bind-9.9.3-P2
# ./configure CC="gcc -m64" --enable-threads --with-openssl=/opt/openssl-pkcs11/ --withpkcs11=/opt/nfast/toolkits/pkcs11/libcknfast.so
# make
# make install
--with-openssl must point to the openssl directory specified in Installing and configuring
OpenSSL and BIND on page 7.
--with-pkcs11 must point to the Thales PKCS #11 library (the LD_LIBRARY_PATH environment
variable set in Installing the software on page 6).
Chapter 2: Procedures
3. To verify the installation, export the installed OpenSSL path and confirm that OpenSSL is
configured with PKCS #11 support:
# export PATH=/opt/openssl-pkcs11/bin/:$PATH
# openssl engine pkcs11 -t
# cd /var/named/chroot/var/named
10
zone "thales-bindtest.org" in {
type master;
file "master.thales-bindtest.org";
};
# named-checkconf /etc/named.conf
# named -v
6. Restart BIND:
Note: The procedure for restarting BIND might vary for different machine configurations. This
procedure is given as an example.
7. Verify that BIND has successfully restarted:
# rndc status
Ensure that the output of rndc status displays the BIND version of 9.9.3-P2.
For more information on the rndc utility and BIND, see the ISC BIND Administrators Reference
Manual.
8. Use the DNS look-up utility dig to confirm that DNSSEC is not enabled by confirming an absence
of Resource Record Signature (RRSIG) records in the query response:
11
Chapter 2: Procedures
For example:
IN A 10.88.162.45
172800 IN NS dc1.thales-bindtest.org.
Generating the Key Signing Key (KSK) and Zone Signing Key (ZSK)
This section describes how to create the KSK and ZSK. The BIND tool pkcs11-keygen generates the
keys in the security world. The tool dnssec-keyfromlabel then creates two key files that represent the
key. These key files have the following format:
l
K<domainname>.<algorithm_id>.<key_id>.key
K<domainname>.<algorithm_id>.<key_id>.private
This example uses the default algorithm of RSASHA1 with 2048 bits for the KSK and ZSK.
Note: If you are in a Strict FIPS security world, you must provide your OCS or ACS for Strict FIPS
authentication before you run the BIND commands described in the following sections. We
recommend that you use your OCS rather than your ACS for security reasons.
If you have a K-of-N card set with K greater than 1, you must include the preload command
specifying the card set name in each of the BIND commands in the following steps, and use
761406613 as the slot ID where a slot ID is required.
12
# cd /var/named/chroot/var/named
Note: ppmk preload <softcard_name> is required if you are in a Strict FIPS security world
with more than one module. To find the softcard name run the ppmk --list command.
l
3. When prompted, enter your pass phrase. For module protection, press Return.
A PKCS #11 key is created in the security world and located in the /opt/nfast/kmdata/local
directory.
4. Generate the public and private key files by running the following command. This uses the label
of the key pair stored in the HSM, and constructs a DNS key pair for use by named and dnssecsignzone. The key files are created in the current working directory.
l For 1-of-N OCS, softcard, and module protection:
13
Chapter 2: Procedures
When prompted, enter your pass phrase. For module protection, press Return.
The -f option sets the Secure Entry Point bit, which is required when building a chain of trust.
Note: This guide does not describe the procedure to build a chain of trust. For more
information, see the ISC BIND Administrators Reference Manual.
5. To verify key generation:
l With 1-of-N OCS protected keys:
# pkcs11-list -s 492971158
# pkcs11-list -s 761406613
# pkcs11-list -s 492971157
6. When prompted, enter your pass phrase. For module protection, press Return. The key object
output should include the following two thales-bindtest-KSK entries:
14
Note: ppmk preload <softcard_name> is required if you are in a Strict FIPS security world
with more than one module. To find the softcard name run the ppmk --list command.
l
2. When prompted, enter your pass phrase. For module protection, press Return.
A PKCS #11 key is created in the security world and located in the /opt/nfast/kmdata/local
directory.
3. Generate the public and private key files by running the following command. This uses the label
of the key pair stored in the HSM, and constructs a DNS key pair for use by named and dnssecsignzone. The key files are created in the current working directory.
l For 1-of-N OCS, softcard, and module protection:
15
Chapter 2: Procedures
4. When prompted, enter your pass phrase. For module protection, press Return.
5. To verify key generation:
l With 1-of-N OCS protected keys:
# pkcs11-list -s 492971158
# pkcs11-list -s 761406613
# pkcs11-list -s 492971157
6. When prompted, enter your pass phrase. For module protection, press Return. The key object
output should include the following two thales-bindtest-ZSK entries:
16
Verifying DNSSEC
2. When prompted, enter your pass phrase. For module protection, press Return.
A signed zone file is created in the working directory.
3. Edit the /etc/named.conf file to include the zone information for the signed zone:
zone "thales-bindtest.org" in {
type master;
file "master.thales-bindtest.org.signed";
};
4. In the options section of the file, add the following to enable DNSSEC:
dnssec-enable yes;
5. Restart BIND:
# rndc stop
# named
Note: This guide does not cover the procedure for automatic zone signing or automatic key
rollover. For more information, see the ISC BIND Administrators Reference Manual.
Verifying DNSSEC
Use the DNS look-up utility dig to verify DNSSEC:
The output should include RRSIG records in the query response. For example:
17
Chapter 2: Procedures
;;
;;
;;
;;
172800 IN NS dc1.thales-bindtest.org.
172800 IN RRSIG
NS 5 2 172800 (
20131115082223 20131016082223 19120
thales-bindtest.org.
S+zWGr7tA4ncJNw9J/Y3GyJfBaGT2m3ssrBX+x9b6l/5
O5Oxq7xXuJfqovfgDL1ZaRsvSCbPt1cQYZbVgw+mlLWo
gQOpRuiCGHI/Cay+0ogBR76axezwYJT0Zttk9BwABP4x
6ecqKuyWSBD43vVFATmy9cDYTgIz8JPlRTar6VuWisWl
BqaEtBwrHC+5InBW4iJ9pCOfxYgjQ7X0ldmrKuqn6zAk
VkGGm8t2WCv2vdTqUYFrHZrpHeoqHZSXO3g+9u3/OPOL
HnNtXnMIEKj19XUzyzPAHvwB545KMs+hl5099GwAsoZB
DmhIzkEMq5CAoA6LUodyUsh2QSQfuWkY2Q== )
18
Chapter 3: Troubleshooting
Chapter 3: Troubleshooting
The following table lists error messages that might be displayed during the procedures described in
this guide.
Error message
Resolution
Ensure the correct slot ID is specified. For
OCS protection:
1-of-N: -s 492971158
Wrong slot ID
C_OpenSession: Error =
K-of-N: -s 761406613
specified or OCS
0x00000003
Ensure the OCS is inserted correctly in
not in slot.
the card reader.
For softcard protection use -s 761406613.
For module protection use -s 492971157.
Incorrect card inserted into the slot.
C_OpenSession: Error =
Token not
Ensure that the correct OCS from security
0x000000E1
recognized.
world is inserted correctly in the card
reader.
Ensure the correct PIN is entered when
Incorrect PIN, or
requested. Ensure the correct
Login: Error = 0x000000A0
environment
environment variables are set (see
variables not set.
Installing the software on page 7).
Ensure a usable security world is in place
Security world
and the module is in Operational mode.
unusable, or
Ensure the correct environment variables
C_Initialize: Error = 0x00000006
environment
are set (see Installing the software on
variables not set.
page 7). Ensure the hardserver is
running.
If in a Strict FIPS security world, ensure
C_GenerateKeyPair: Error =
FIPS Authentication
that an OCS/ACS is inserted into the
0x800000E0
required.
module slot for FIPS authentication.
Generate KSK and ZSK as described in
No KSK or ZSK in
dnssec-signzone: fatal: No
Generating the Key Signing Key (KSK)
the working
signing keys specified or found
and Zone Signing Key (ZSK) on page 12,
directory.
and attempt to re-sign the zone.
Ensure a usable security world is in place
and the module is in Operational mode.
dnssec-signzone: fatal: could
Security world is
Ensure the hardserver is running. Ensure
not initialize dst: no engine
unusable.
PKCS #11 engine support is available by
running: # openssl engine pkcs11 -t
Cause
19
Chapter 3: Troubleshooting
Error message
Cause
Resolution
This is a problem in BIND, not the Thales
Support Software, so a full resolution must
wait for a new version of BIND with the
issue addressed. In the meantime, the
Certain versions of following procedure is recommended:
BIND (at least up to
1. The security world should always be
dnssec-signzone: warning: dns_
0.9.8) occasionally
backed up when a new key is
dnssec_findmatchingkey s: error
make an erroneous
created. This is good practice in all
reading key file Kthalescall to destroy the
situations, not just with this issue. To
bindtest.org.+005+59653.pr
PKCS #11 private
back up the security world, make a
ivate: not found dnsseckey object after
copy of /opt/nfast/kmdata/local.
signzone: warning: dns_dnssec_
signing a zone.
2.
If the issue occurs, run pkcs11-list
findmatchingkey s: error
Destroying the
s <slot_number> which will indicate
reading key file Kthalesprivate key makes it
that the most recently generated key
bindtest.org.+005+55268.pr
permanently
object is missing.
ivate: not found dnssecunavailable for use, 3. Restore the security world from
signzone: fatal: No signing
and all subsequent
backup. Either the single key file
keys specified or found.
attempts to sign will
identified by pkcs11-list or the
fail.
entire /opt/nfast/kmdata/local may
be restored.
4. Run pkcs11-list again which should
display an extra key object.
5. Attempt to sign the zone.
20
Internet addresses
Web site:
http://www.thales-esecurity.com/
Support:
http://www.thales-esecurity.com/support-landing-page
Online documentation:
http://www.thales-esecurity.com/knowledge-base
http://www.thales-esecurity.com/contact
Addresses and contact information for the main Thales e-Security sales offices are provided at the
bottom of the following page.
21
www. t h a les-esec ur it y . c o m
Follow us on: