Re: BIND 9.10.0b1 is now available
> Well, I'm going to put a radio button for people to use the native PKCS11 > or OpenSSL, and maybe create a slave port enabling the PKCS11 by default. > And add warnings telling people that this BIND can't be used as a > validating resolver. (it's not auth only, I assume it can still resolve, > but not validate.) If the pkcs11 provider has a complete implementation of the pkcs11 API, then it can be used for validation. I don't advise it, but it should work. (With SoftHSMv2, it might not even be all that slow, since the code runs locally -- I haven't benchmarked it.) > On the other hand, if the HSM selection has to be done at compile time, > like Evan suggest, and not at runtime through a named.conf directive, it's > a bit pointless, the only "HSM" we have in the ports collection being > SoftHSM. HSM selection can be postponed, actually; IIRC, you configure BIND with --enable-native-pkcs11 but omit --with-pkcs11, then specify the provider library on the command line ('named -E /path/to/libsofthsm.so'). We haven't made it a named.conf directive though; it hadn't occurred to me before that anyone would want this for any purpose other than testing. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 14:43:36 -0700 Doug Barton wrote: | On 03/17/2014 01:06 PM, Evan Hunt wrote: |> On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: |>> Yes, it was my understanding of how HSM worked. That's why I was trying |>> to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation |>> on one side, and PKCS11 interface for zone signing on the other. |> |> I'd advise doing that with two separate BIND instances -- sign using |> pkcs11 (possibly on a hidden master) and keep that separate from your |> recursion/validation. | | Evan, I think that Mathieu understands that from a "proper DNS | functionality" perspective. What he's struggling with is that the way | FreeBSD ports are set up they don't really have a "flag" for "This | configuration of options will give you an authoritative-only server that | you cannot use for general purpose recursion/validation" within a | specific set of options for the general purpose port. | | Mathieu, if I may, what I would do in this situation is create a slave | port for the HSM compile options, and put some sort of warning | (pre-compile, pkg-message, or both) that clearly indicates to the user | that this configuration is limited to auth-only. That's the least painful | way I can think of to deal with it off hand. You may come up with a more | creative solution. Well, I'm going to put a radio button for people to use the native PKCS11 or OpenSSL, and maybe create a slave port enabling the PKCS11 by default. And add warnings telling people that this BIND can't be used as a validating resolver. (it's not auth only, I assume it can still resolve, but not validate.) On the other hand, if the HSM selection has to be done at compile time, like Evan suggest, and not at runtime through a named.conf directive, it's a bit pointless, the only "HSM" we have in the ports collection being SoftHSM. Regards, -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
On Mon, Mar 17, 2014 at 11:41:07PM +0200, Mark Elkins wrote: > I had not thought about that. BIND compiled with pkcs11 and no openssl > *has* to be used with an HSM (soft and Thales being the two tested > types) presumably as a Zone signer and can *not* be used as a DNSSEC > validating resolver (IMR) You *can* use it as a validating resolver, but it probably wouldn't be very efficient and I don't know why you'd want to. :) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
On Mon, 2014-03-17 at 20:06 +, Evan Hunt wrote: > On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: > > Yes, it was my understanding of how HSM worked. That's why I was trying to > > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one > > side, and PKCS11 interface for zone signing on the other. > > I'd advise doing that with two separate BIND instances -- sign using > pkcs11 (possibly on a hidden master) and keep that separate from your > recursion/validation. > > I'm interested to read this, though, because it's a use case I hadn't > considered. We'll have to give it some thought. But right now there > are three options: > > - build with regular openssl, no pkcs11 > - build with patched openssl, pkcs11 available via openssl shim >(configure --with-openssl=/path/to/openssl/prefix >--with-pks11=/path/to/provider.so > - build with native pkcs11, no openssl >(configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so) I had not thought about that. BIND compiled with pkcs11 and no openssl *has* to be used with an HSM (soft and Thales being the two tested types) presumably as a Zone signer and can *not* be used as a DNSSEC validating resolver (IMR) One should be careful not to go mixing up the binaries! -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
On 03/17/2014 01:06 PM, Evan Hunt wrote: On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: Yes, it was my understanding of how HSM worked. That's why I was trying to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one side, and PKCS11 interface for zone signing on the other. I'd advise doing that with two separate BIND instances -- sign using pkcs11 (possibly on a hidden master) and keep that separate from your recursion/validation. Evan, I think that Mathieu understands that from a "proper DNS functionality" perspective. What he's struggling with is that the way FreeBSD ports are set up they don't really have a "flag" for "This configuration of options will give you an authoritative-only server that you cannot use for general purpose recursion/validation" within a specific set of options for the general purpose port. Mathieu, if I may, what I would do in this situation is create a slave port for the HSM compile options, and put some sort of warning (pre-compile, pkg-message, or both) that clearly indicates to the user that this configuration is limited to auth-only. That's the least painful way I can think of to deal with it off hand. You may come up with a more creative solution. hth, Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
On Mar 16, 2014, at 3:32 AM, Bob McDonald wrote: > Ok so it's not painless. Do the updates still get forwarded to the master by > the slaves or do I need to have all Windows devices needing update capability > to point at the master? > > TIA, > > Bob I don't believe it works with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine. Regards, Chris Buxton > On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton wrote: > On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: > > > I agree that TSIG or SIG(0) signed updates are certainly a more desirable > > approach than allowing updates via address. My DHCP server is setup to > > sign all of it's updates this way. However, I have AD domain controllers > > in the environment that don't currently use signed updates. Is there a > > fairly painless way to convert all the AD machines to signed updates? > > You would need to set up GSS-TSIG, which is not painless. (It's certainly > doable, but there are plenty of pitfalls to overcome.) Windows doesn't > support TSIG, just GSS-TSIG. > > AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the > master. > > Regards, > Chris Buxton. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: > Yes, it was my understanding of how HSM worked. That's why I was trying to > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one > side, and PKCS11 interface for zone signing on the other. I'd advise doing that with two separate BIND instances -- sign using pkcs11 (possibly on a hidden master) and keep that separate from your recursion/validation. I'm interested to read this, though, because it's a use case I hadn't considered. We'll have to give it some thought. But right now there are three options: - build with regular openssl, no pkcs11 - build with patched openssl, pkcs11 available via openssl shim (configure --with-openssl=/path/to/openssl/prefix --with-pks11=/path/to/provider.so - build with native pkcs11, no openssl (configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 12:36:32 -0700 Doug Barton wrote: | On 03/17/2014 12:29 PM, Mathieu Arnold wrote: |> Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if |> this seems a silly question.) | | HSMs are typically an auth-only tool, although I suppose that in a | super-high-security environment that they could be justified for | validation ... it would be interesting to see a requirements doc on what | the HSM would need to provide to do that. Yes, it was my understanding of how HSM worked. That's why I was trying to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one side, and PKCS11 interface for zone signing on the other. -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
On 03/17/2014 12:29 PM, Mathieu Arnold wrote: Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this seems a silly question.) HSMs are typically an auth-only tool, although I suppose that in a super-high-security environment that they could be justified for validation ... it would be interesting to see a requirements doc on what the HSM would need to provide to do that. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 17:51:33 + Evan Hunt wrote: | This new code uses pkcs11 for all crypto, instead of using openssl as a | shim. So yes, you can build with either native pkcs11 or openssl, but | not both. Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this seems a silly question.) Also, from your example, it seems the pkcs11 library is a build time thing, could it be a runtime configuration so that we can provide an agnostic package and then you just need to point BIND to the right .so in its configuration ? And does OpenSSL provide a pkcs11 interface ? (To know if I could switch the default BIND package from using openssl to using openssl through pkcs11) Regards, -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
> | Has anyone tried this yet? - either using SoftHSM or a Thales HSM? > | > | I have access to a totally unconfigured Thales netShield Connect 500. > | > | Without reading *all* the manuals - anyone have a HowTo setup to make > | one of these beasties talk PKCS#11... a Goto page XX is acceptable.. > > For the FreeBSD port for 9.10 that I'm currently writing (as the beta comes > out) it seems you can only build it either with openssl or with > native-pkcs11, which is a bit strange. Well, it's kinda the point: Our previous pkcs11 support required you to patch and build a local version of openssl with code that was originally contributed by the OpenSolaris project and has been maintained for the past few years by ISC, but has never been accepted into upstream openssl. Every crypto function used by BIND would be sent to this alterate openssl, which would then translate the call into pkcs11 primiitives and send them to the HSM. This new code uses pkcs11 for all crypto, instead of using openssl as a shim. So yes, you can build with either native pkcs11 or openssl, but not both. (The advantage of the openssl version is it can fill in functional gaps when your HSM doesn't supply *all* the pkcs11 functions. Some HSMs don't provide hashing services or random number generation, for example. If you're using such an HSM then native pkcs11 can't do all crypto things BIND needs done.) > As for trying it, no, making it compile is already somewhat a challenge... I haven't tried it with Thales personally, but one of my colleagues has. For SoftHSM, you have to build the latest v2 code out of their git repository; there's no tarball you can download as yet. Once you've built it and initialized it according to their instructions, configure BIND and test it: $ configure --enable-native-pkcs11 --with-pkcs11=/path/to/libsofthsm.so $ make $ cd bin/tests/system $ sudo sh ifconfig.sh up $ sh run.sh pkcs11 If the test passes, then pkcs11 is working. It should work the same with Thales, as long as the HSM is running and the pkcs11 provider library is accessible. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 18:56:25 +0200 Mark Elkins wrote: | On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote: |>A new compile-time option, "configure --enable-native-pkcs11", |>allows the BIND 9 cryptography functions to use the PKCS#11 API |>natively, so that BIND can drive a cryptographic hardware service |>module (HSM) directly instead of using a modified OpenSSL as an |>intermediary. This has been tested with the Thales nShield HSM |>and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] | | | Has anyone tried this yet? - either using SoftHSM or a Thales HSM? | | I have access to a totally unconfigured Thales netShield Connect 500. | | Without reading *all* the manuals - anyone have a HowTo setup to make | one of these beasties talk PKCS#11... a Goto page XX is acceptable.. For the FreeBSD port for 9.10 that I'm currently writing (as the beta comes out) it seems you can only build it either with openssl or with native-pkcs11, which is a bit strange. As for trying it, no, making it compile is already somewhat a challenge... -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote: >A new compile-time option, "configure --enable-native-pkcs11", >allows the BIND 9 cryptography functions to use the PKCS#11 API >natively, so that BIND can drive a cryptographic hardware service >module (HSM) directly instead of using a modified OpenSSL as an >intermediary. This has been tested with the Thales nShield HSM >and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] Has anyone tried this yet? - either using SoftHSM or a Thales HSM? I have access to a totally unconfigured Thales netShield Connect 500. Without reading *all* the manuals - anyone have a HowTo setup to make one of these beasties talk PKCS#11... a Goto page XX is acceptable.. -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Audit the consistency of zone files on DNS servers
Thanks for your reply. Maybe I am a skeptic, but I am not skeptic of just bind, skeptic about myself and any script that is generating zones, all I know that things go wrong... including things caused by my own mistakes. 1. I now run a Bind and other DNS servers. I am not sure if inter operate with each other correctly. 2. I found a bug on my zone generation script that has that at times not incremented the serial number on the master server and caused the servers to be out of sync. After being humbled by this and other problems (probably caused by me), I have decided that it would be best to have a testing method which is totally external to XFRs and not dependent on my good judgement. Thank you for the git script I think it does what I need. 0.01% is acceptable. Maren. To be blunt, I think you are being unreasonable - sort of a "radical skeptic" - about the software. If you distrust the XFR bit of your DNS servers, why trust *any* of it? How do you know the DNS server isn't answering with garbage when it should be answering NODATA/NXDOMAIN? Or answering with correct values to you, but garbage 0.01% of the time to everyone else? You don't know that, and you can never know that, so proceeding on this basis is futile. Do you have grounds to *reasonably doubt* the functioning of your DNS software? Anyway - in an attempt to be "helpful", even though I think it's a silly thing to do, here's a suggestion which queries every record in a zone verus a master file: https://github.com/joemiller/dns_compare You could also canonicalise the zone file with "trusted" (ha ha) software then transfer it over a "trusted" protocol (ha ha), "freeze" the zone at the slaves having "trusted" that they will write to disk correctly, then use diff. None of these solves the NODATA/NXDOMAIN or low-rate error problem, but they are, in principle, unsolvable. Good luck - I doubt you'll find what you want though! ;o) Cheers, Phil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
Signed updates, that is... On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald wrote: > Ok so it's not painless. Do the updates still get forwarded to the master > by the slaves or do I need to have all Windows devices needing update > capability to point at the master? > > TIA, > > Bob > > > > On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton wrote: > >> On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: >> >> > I agree that TSIG or SIG(0) signed updates are certainly a more >> desirable approach than allowing updates via address. My DHCP server is >> setup to sign all of it's updates this way. However, I have AD domain >> controllers in the environment that don't currently use signed updates. Is >> there a fairly painless way to convert all the AD machines to signed >> updates? >> >> You would need to set up GSS-TSIG, which is not painless. (It's certainly >> doable, but there are plenty of pitfalls to overcome.) Windows doesn't >> support TSIG, just GSS-TSIG. >> >> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on >> the master. >> >> Regards, >> Chris Buxton. > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users