Re: question about DNSSEC with PKCS11

[Jan-Piet Mens]

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with
dnssec-keyfromlabel ?


keys are not actually 'converted' with this utility; instead the .private file
links to the corresponding private (and typically unexportable) key on the HSM.
(If you look inside the .private key you'll see a "Label:" which contains the
base64-encoded "pointer" to the key on the HSM.

In other words, use of dnssec-keyfromlabel(1) is not a security issue per se.

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: question about DNSSEC with PKCS11

[Matthijs Mekking]

Hi,

The KB article was written before dnssec-policy. Unfortunately, OpenSSL 
with engine_pkcs11 does not support creating keys. So if you want to use 
an HSM with dnssec-policy, you will need to create the keys yourself and 
you can then import them in the key-directory with dnssec-keyfromlabel. 
Then, when it is time to create a new key according to BIND, it will 
select a pregenerated key instead.


Sorry for this inconvenience. We are working on making dnssec-policy 
work with HSMs including key generation through the OpenSSL 3.0 provider 
API.


Best regards,

Matthijs


On 8/5/23 04:50, sun guonian wrote:

hi,

I have tried the DNSSEC sign testing according the document,
https://kb.isc.org/docs/bind-9-pkcs11 


(and section 5.5 of the Bv9ARM of version 9.18.16)

I have two questions about it,

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with 
dnssec-keyfromlabel ?


2. when I configure KASP policy, I notice that bind will generate new key(s)
each time it need, but there is no new object in softhsm generated. 
Could bind

of this version roll the objects in HSM/softhsm ?

Thanks in advanced.

Best Regards,
SUN Guonian

And my environment is,
bind-9.18.16
opensc-0.42
softhsm-2.6.1
openssl-1.1.1k from system
RockyLinux 8


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

question about DNSSEC with PKCS11

[sun guonian]

hi,

I have tried the DNSSEC sign testing according the document,
https://kb.isc.org/docs/bind-9-pkcs11
(and section 5.5 of the Bv9ARM of version 9.18.16)

I have two questions about it,

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with
dnssec-keyfromlabel ?

2. when I configure KASP policy, I notice that bind will generate new key(s)
each time it need, but there is no new object in softhsm generated. Could
bind
of this version roll the objects in HSM/softhsm ?

Thanks in advanced.

Best Regards,
SUN Guonian

And my environment is,
bind-9.18.16
opensc-0.42
softhsm-2.6.1
openssl-1.1.1k from system
RockyLinux 8
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users