Report information
The Basics
Id:
37814
Status:
open
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Francis Dupont <Francis_Dupont@isc.org>
Requestors:
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Fri, 14 Nov 2014 16:48:55 -0500
Updated:Fri, 07 Jul 2017 20:01:46 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Fri, 14 Nov 2014 16:48:55 -0500 Petr Spacek <pspacek@redhat.com> - Ticket created
CC: Tomas Hozza <thozza@redhat.com>
Subject: PKCS#11 support for TSIG algorithms
Date: Fri, 14 Nov 2014 22:48:48 +0100
To: bind-suggest@isc.org
From: Petr Spacek <pspacek@redhat.com>

Hello, I would like to ask you if you would accept patch set with support for TSIG operations using PKCS#11. Motivation: We have something like networked HSM and we are trying to solve TSIG key distribution problem. The raw idea is that dnssec-keyfromlabel could generate keys files for TSIG algorithms and these files could be used with nsupdate -k file. PKCS#11 standard v2.30 contains all the necessary methods (CKM_SHA_1_HMAC and others) so it should be 'just' a matter of implementing proper DST binding ... Am I right? The only problem I found is that 'rndc tsig-list' does not list TSIG keys generated using dnssec-keygen and stored in 'keys-directory'. Is it fixable? Maybe it could allow TSIG key addition/removal at run-time as a side-effect (if we somehow hack 'rndc loadkeys' to reload TSIG keys too). What do you think? Thank you for your time! -- Petr Spacek @ Red Hat
Fri, 14 Nov 2014 17:59:42 -0500 Francis Dupont <Francis_Dupont@isc.org> - Taken
  Fri, 14 Nov 2014 18:20:01 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

I am currently out of my office (~12000 km) and I'll go back in some hours, so I apologise for the likely delay for a detailed answer. BTW there is a new PKCS#11 standard (specs still required a final vote, include files are not yet available) but it won't change something as HMAC has been covered since a long time. The native PKCS#11 supports *all* the standard crypto functions needed by named, including hash and HMAC. So there is nothing to change on this side. If I understand well you'd like to put secrets in the HSM. Currently this is supported only for RSA and ECDSA key pairs (look for a fromlabel methos in dst_funct arrays. Note for OpenSSL only RSA keys are supported (sound as ECC is not supported by the PKCS#11 OpenSSL engine). Anyway it seems reasonable to extend fromlabel to HMAC secrets as HMAC is already in the DST stuff. Now I need the opinion of my colleagues if the result will be to get a PKCS#11 specific feature. Note I don't yet fully understand your point about rndc tsig-list. I am afraid the current only way to configure TSIG keys (aka secrets) is to put them in the named config file... Surely something which requires ASAP improvements...
Fri, 14 Nov 2014 18:20:01 -0500 The RT System itself - Status changed from 'new' to 'open'
  Fri, 14 Nov 2014 18:29:10 -0500 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #37814] PKCS#11 support for TSIG algorithms
Date: Fri, 14 Nov 2014 23:29:10 +0000
To: Francis Dupont via RT <bind-suggest@isc.org>
From: Evan Hunt <each@isc.org>

On Fri, Nov 14, 2014 at 11:20:02PM +0000, Francis Dupont via RT wrote: > Note I don't yet fully understand your point about > rndc tsig-list. I am afraid the current only way to > configure TSIG keys (aka secrets) is to put them > in the named config file... There's also TKEY.
  Mon, 24 Nov 2014 16:42:58 -0500 Petr Spacek <pspacek@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #37814] PKCS#11 support for TSIG algorithms
Date: Mon, 24 Nov 2014 22:42:51 +0100
To: bind-suggest@isc.org
From: Petr Spacek <pspacek@redhat.com>

Hello, and thank you for your answer! On 15.11.2014 00:20, Francis Dupont via RT wrote: > I am currently out of my office (~12000 km) and > I'll go back in some hours, so I apologise for > the likely delay for a detailed answer. > > BTW there is a new PKCS#11 standard (specs > still required a final vote, include files are not > yet available) but it won't change something as > HMAC has been covered since a long time. > > The native PKCS#11 supports *all* the standard > crypto functions needed by named, including hash > and HMAC. So there is nothing to change on this side. > > If I understand well you'd like to put secrets in the HSM. Yes, exactly. > Currently this is supported only for RSA and ECDSA > key pairs (look for a fromlabel methos in dst_funct > arrays. Note for OpenSSL only RSA keys are supported > (sound as ECC is not supported by the PKCS#11 > OpenSSL engine). I'm thinking more about direct/native PKCS#11 support. OpenSSL's PKCS#11 engine never worked for me and generally with standard Red Hat packages ... > Anyway it seems reasonable to extend fromlabel to > HMAC secrets as HMAC is already in the DST stuff. > Now I need the opinion of my colleagues if the result > will be to get a PKCS#11 specific feature. > > Note I don't yet fully understand your point about > rndc tsig-list. I am afraid the current only way to > configure TSIG keys (aka secrets) is to put them > in the named config file... Surely something which > requires ASAP improvements... You understand me perfectly. I was making the point that TSIG keys stored in key files (produced by dnssec-keygen) located in "keys-directory" are ignored by named and and are not usable in zone "update-policy". Maybe this could be a way how to separate keys from named config file and to allow dynamic key management at run-time (with an equivalent of rndc loadkeys for these TSIG keys). -- Petr^2 Spacek
  Mon, 24 Nov 2014 21:25:41 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Mon Nov 24 21:42:58 2014, pspacek@redhat.com wrote: > Hello, > > and thank you for your answer! > > On 15.11.2014 00:20, Francis Dupont via RT wrote: > > I am currently out of my office (~12000 km) and > > I'll go back in some hours, so I apologise for > > the likely delay for a detailed answer. > > > > BTW there is a new PKCS#11 standard (specs > > still required a final vote, include files are not > > yet available) but it won't change something as > > HMAC has been covered since a long time. > > > > The native PKCS#11 supports *all* the standard > > crypto functions needed by named, including hash > > and HMAC. So there is nothing to change on this side. > > > > If I understand well you'd like to put secrets in the HSM. > Yes, exactly. > > > Currently this is supported only for RSA and ECDSA > > key pairs (look for a fromlabel methos in dst_funct > > arrays. Note for OpenSSL only RSA keys are supported > > (sound as ECC is not supported by the PKCS#11 > > OpenSSL engine). > I'm thinking more about direct/native PKCS#11 support. => I agree and I just commented the fact the OpenSSL stuff is already far behind.. > OpenSSL's PKCS#11 > engine never worked for me and generally with standard > Red Hat packages ... => not really surprised (I wrote the native PKCS#11 code because the OpenSSL PKCS#11 engine was impossible to debug/maintain/support... it started as a private experiment but It was so successful it was adopted for official distribs) > > Anyway it seems reasonable to extend fromlabel to > > HMAC secrets as HMAC is already in the DST stuff. > > Now I need the opinion of my colleagues if the result > > will be to get a PKCS#11 specific feature. => I postpone this point as the next one is required if we want to go further. > > Note I don't yet fully understand your point about > > rndc tsig-list. I am afraid the current only way to > > configure TSIG keys (aka secrets) is to put them > > in the named config file... Surely something which > > requires ASAP improvements... > > You understand me perfectly. I was making the point that > TSIG keys stored in key files (produced by dnssec-keygen) > located in "keys-directory" are ignored > by named and and are not usable in zone "update-policy". > > Maybe this could be a way how to separate keys from > named config file and to allow dynamic key management > at run-time (with an equivalent of rndc loadkeys > for these TSIG keys). => IMHO this is enough to get its own ticket (I leave my colleagues to create it in the case they agree). Thanks
  Mon, 24 Nov 2014 21:54:40 -0500 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #37814] PKCS#11 support for TSIG algorithms
Date: Tue, 25 Nov 2014 02:54:39 +0000
To: Francis Dupont via RT <bind-suggest@isc.org>
From: Evan Hunt <each@isc.org>

> I was making the point that > TSIG keys stored in key files (produced by dnssec-keygen) > located in "keys-directory" are ignored > by named and and are not usable in zone "update-policy". > > Maybe this could be a way how to separate keys from > named config file and to allow dynamic key management > at run-time (with an equivalent of rndc loadkeys > for these TSIG keys). Interesting idea. I submitted it to the suggest queue as RT #37903. If I wanted to do something like this using current BIND, I'd generate keys using "ddns-confgen -q", concatenate them into a named.conf include file, and run "rndc reconfig".
  Mon, 24 Nov 2014 21:56:59 -0500 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #37814] PKCS#11 support for TSIG algorithms
Date: Tue, 25 Nov 2014 02:56:58 +0000
To: Evan Hunt via RT <bind-suggest@isc.org>
From: Evan Hunt <each@isc.org>

> "ddns-confgen -q" (Also known as "tsig-keygen", since BIND 9.10.)
Fri, 07 Jul 2017 20:01:46 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #3 to bind9-public