Skip Menu |
Report information
The Basics
Id: 43093
Status: open
Priority: 50/50
Queue: bind9-public
People
Owner: Francis Dupont <Francis_Dupont@isc.org>
Requestors: Mathieu Arnold <mat@FreeBSD.org>
Cc:
AdminCc:
Bug Information
Version Fixed: (no value)
Version Found: (no value)
Versions Affected: (no value)
Versions Planned: (no value)
Priority: P2 Normal
Severity: S2 Normal
CVSS Score: (no value)
CVE ID: (no value)
Component: BIND Server
Area: bug
Dates
Created:Tue, 23 Aug 2016 08:38:38 -0400
Updated:Tue, 25 Jul 2017 11:29:08 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History Show full headers
# Tue, 23 Aug 2016 08:38:39 -0400 Mathieu Arnold <mat@FreeBSD.org> - Ticket created [Reply] [Comment]
Subject: Possible bug with the native PKCS#11 interface
Date: Tue, 23 Aug 2016 14:38:17 +0200
To: bind9-bugs@isc.org
From: "Mathieu Arnold" <mat@FreeBSD.org>
Download (untitled) / with headers
text/plain 402B
Hi, Someone created a FreeBSD bug report[1] today. As I don't use the PKCS#11 thingie myself, I only tested it briefly when it came around to make sure it built and ran. I don't understand what it really is trying to achieve, so, I'm wondering what you think about it, if it is a bug in BIND9, or a feature addition... 1: <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212069> -- Mathieu Arnold
Download (untitled)
application/pgp-signature 949B

Message body not shown because it is not plain text.

# Tue, 23 Aug 2016 09:10:30 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 1.2KiB
On Tue Aug 23 12:38:39 2016, mat@FreeBSD.org wrote: > Hi, > > Someone created a FreeBSD bug report[1] today. As I don't use the PKCS#11 > thingie myself, I only tested it briefly when it came around to make sure > it built and ran. > > I don't understand what it really is trying to achieve, so, I'm wondering > what you think about it, if it is a bug in BIND9, or a feature addition... > > 1: <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212069> => it is a patch for the FreeBSD port system (1) but it includes a fix (2) fro Fedora 23 so you are right to signal this to us. (1) IMHO it is not a good idea to provide native PKCS#11 support in the standard package because it is exclusive of OpenSSL. Note if SoftHSMv2 is fine it was not designed to be very secure (it was designed to help development of code supporting real HSMs, including the native PKCS#11 support in bind9). So to replace bind9+OpenSSL by bind9+PKCS#11+SoftHSMv2 doesn't make sense in production. (2) I'll download the Fedora 23 sources to see if the patch solves a real/known/already-fixed issue. Note we merged a patch making the native PKCS#11 support more flexible into 9.10 and 9.11 last week so if you find something wrong please check against last versions.
# Tue, 23 Aug 2016 09:10:31 -0400 The RT System itself - Status changed from 'new' to 'open'
# Tue, 23 Aug 2016 09:10:31 -0400 Francis Dupont <Francis_Dupont@isc.org> - Taken
# Tue, 23 Aug 2016 09:36:32 -0400 Mathieu Arnold <mat@FreeBSD.org> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #43093] Possible bug with the native PKCS#11 interface
Date: Tue, 23 Aug 2016 15:36:12 +0200
To: bind9-bugs@isc.org
From: "Mathieu Arnold" <mat@FreeBSD.org>
Download (untitled) / with headers
text/plain 1.5KiB
+--On 23 août 2016 13:10:30 +0000 Francis Dupont via RT <bind9-bugs@isc.org> wrote: | On Tue Aug 23 12:38:39 2016, mat@FreeBSD.org wrote: |> Hi, |> |> Someone created a FreeBSD bug report[1] today. As I don't use the PKCS#11 |> thingie myself, I only tested it briefly when it came around to make sure |> it built and ran. |> |> I don't understand what it really is trying to achieve, so, I'm wondering |> what you think about it, if it is a bug in BIND9, or a feature |> addition... |> |> 1: <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212069> | | => it is a patch for the FreeBSD port system (1) but it includes | a fix (2) fro Fedora 23 so you are right to signal this to us. | | (1) IMHO it is not a good idea to provide native PKCS#11 support | in the standard package because it is exclusive of OpenSSL. | Note if SoftHSMv2 is fine it was not designed to be very secure | (it was designed to help development of code supporting real HSMs, | including the native PKCS#11 support in bind9). So to replace | bind9+OpenSSL by bind9+PKCS#11+SoftHSMv2 doesn't make | sense in production. The native PKCS#11 support is provided as an option, and is not enabled by default, so it is not a problem, it is there so that people who need it can use it. | (2) I'll download the Fedora 23 sources to see if the patch solves | a real/known/already-fixed issue. Thanks, please let me know :-) | Note we merged a patch making the native PKCS#11 support more | flexible into 9.10 and 9.11 last week so if you find something wrong | please check against last versions. I'll have a look. -- Mathieu Arnold
Download (untitled)
application/pgp-signature 949B

Message body not shown because it is not plain text.

# Tue, 23 Aug 2016 09:58:09 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 1KiB
I read the bind-9.10-dist-native-pkcs11.patch file from the Fedora 23 source package (bind-pkcs11-devel). It changes some path and file names in Makefile's in order to provide PKCS#11 alternatives to standard bind names, e.g., named and named-pkcs11. IMHO it is both a bad idea (*) and something specific to Fedora, perhaps inherited from the time the native PCKS#11 support was not available. (*) it is a bad idea because you MUST NOT have two different cryptos at the same time. In bind distribs this is enforced by configure (patched out in Fedora) and in libraries (fedora has 2 ISC libs (isc and isc-pkcs11), 2 DNS libs (dns and dns-pkcs11). IMHO it should be the same for the installation, i.e., if you want to have bind+OpenSSL and bind+PKCS#11 at the same time you should simply install them at different places (and put one and only one of these places in your path specifying environment variables). In conclusion about the port bug report: it should not modify the standard bind and if you'd like to propose it with another name it should be made explicitly incompatible with the standard bind.
# Tue, 23 Aug 2016 10:26:46 -0400 Mathieu Arnold <mat@FreeBSD.org> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #43093] Possible bug with the native PKCS#11 interface
Date: Tue, 23 Aug 2016 16:26:04 +0200
To: bind9-bugs@isc.org
From: "Mathieu Arnold" <mat@FreeBSD.org>
Download (untitled) / with headers
text/plain 213B
Ok, so I was kinda leaning toward what you are telling me. The OP says that stuff does not work, I'm going to see if there really is something that does not work and get back to you. Thanks, -- Mathieu Arnold
Download (untitled)
application/pgp-signature 949B

Message body not shown because it is not plain text.

# Tue, 23 Aug 2016 10:31:44 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 1KiB
On Tue Aug 23 13:36:32 2016, mat@FreeBSD.org wrote: > | (1) IMHO it is not a good idea to provide native PKCS#11 support > | in the standard package... > > The native PKCS#11 support is provided as an option, and is not enabled by > default, so it is not a problem, it is there so that people who need it can > use it. => it will never work: PKCS#11 needs some parameters at configure time so is not a proper candidate for packaging. And the last improvements make this even worse (they introduce a dependency on the name of the PKCS#11 provider, i.e., the library from the HSM vendor which implements the PKCS#11 API). > | (2) I'll download the Fedora 23 sources to see if the patch solves > | a real/known/already-fixed issue. > > Thanks, please let me know :-) => see my previous answer. > | Note we merged a patch making the native PKCS#11 support more > | flexible into 9.10 and 9.11 last week so if you find something wrong > | please check against last versions. > > I'll have a look. => read the new lib/isc/include/pk11/README.site to understand what the native PKCS#11 support implies...
# Tue, 23 Aug 2016 10:49:01 -0400 Mathieu Arnold <mat@FreeBSD.org> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #43093] Possible bug with the native PKCS#11 interface
Date: Tue, 23 Aug 2016 16:48:50 +0200
To: bind9-bugs@isc.org
From: "Mathieu Arnold" <mat@FreeBSD.org>
Download (untitled) / with headers
text/plain 1.5KiB
+--On 23 août 2016 14:31:45 +0000 Francis Dupont via RT <bind9-bugs@isc.org> wrote: | On Tue Aug 23 13:36:32 2016, mat@FreeBSD.org wrote: |> | (1) IMHO it is not a good idea to provide native PKCS#11 support |> | in the standard package... |> |> The native PKCS#11 support is provided as an option, and is not enabled |> by default, so it is not a problem, it is there so that people who need |> it can use it. | | => it will never work: PKCS#11 needs some parameters at configure | time so is not a proper candidate for packaging. And the last | improvements make this even worse (they introduce a dependency | on the name of the PKCS#11 provider, i.e., the library from the HSM | vendor which implements the PKCS#11 API). Well, no, it can take a: --with-pkcs11=PATH Build with PKCS11 support yes|no|path (PATH is for the PKCS11 provider) Which will be the default, but it is not mandatory, all commands can take a "-E /where/engine" argument, which is the way the port goes. I tested it with softhsm way back when BIND9 9.10 came out, and it was working just right :-) |> | (2) I'll download the Fedora 23 sources to see if the patch solves |> | a real/known/already-fixed issue. |> |> Thanks, please let me know :-) | | => see my previous answer. | |> | Note we merged a patch making the native PKCS#11 support more |> | flexible into 9.10 and 9.11 last week so if you find something wrong |> | please check against last versions. |> |> I'll have a look. | | => read the new lib/isc/include/pk11/README.site to understand | what the native PKCS#11 support implies... -- Mathieu Arnold
Download (untitled)
application/pgp-signature 949B

Message body not shown because it is not plain text.

# Tue, 23 Aug 2016 11:18:42 -0400 Mathieu Arnold <mat@FreeBSD.org> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #43093] Possible bug with the native PKCS#11 interface
Date: Tue, 23 Aug 2016 17:18:31 +0200
To: bind9-bugs@isc.org
From: "Mathieu Arnold" <mat@FreeBSD.org>
Download (untitled) / with headers
text/plain 679B
+--On 23 août 2016 14:26:48 +0000 Mathieu Arnold via RT <bind9-bugs@isc.org> wrote: | | Ok, so I was kinda leaning toward what you are telling me. | | The OP says that stuff does not work, I'm going to see if there really is | something that does not work and get back to you. | | Thanks, So, the OP says that if the BIND9 port is built with the native-pkcs11 option, it fails with: root@freebsd:~ # dnssec-keyfromlabel -l 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' -a RSASHA256 -f KSK -v3 -E /usr/local/lib/softhsm/libsofthsm2.so example.com dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256: built with no crypto support -- Mathieu Arnold
Download (untitled)
application/pgp-signature 949B

Message body not shown because it is not plain text.

# Tue, 23 Aug 2016 11:32:00 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 1KiB
On Tue Aug 23 14:49:01 2016, mat@FreeBSD.org wrote: > Well, no, it can take a: > > --with-pkcs11=PATH Build with PKCS11 support yes|no|path > (PATH is for the PKCS11 provider) > > Which will be the default, but it is not mandatory, all commands can take a > "-E /where/engine" argument, which is the way the port goes. I tested it > with softhsm way back when BIND9 9.10 came out, and it was working just > right :-) => PKCS#11 stuff comes in 2 parts: some PKCS#11 tools which use the --with-pkcs11, and the native PKCS#11 support which uses PKCS#11 (vs OpenSSL) for all crypto operations. The native PKCS#11 is enabled by --enable-native-pkcs11 and relies on the --with-pkcs11 to adjust the code to what the HSM supports (at configure time). BTW this is required because the only HSM which passes the system tests is SoftHSMv2 with the OpenSSL backend. All others fail more or less seriously (with the last patch they are still usable in production, before it was true only for SoftHSMv2 and the Thales nCipher...).
# Tue, 23 Aug 2016 11:36:03 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 616B
On Tue Aug 23 15:18:42 2016, mat@FreeBSD.org wrote: > So, the OP says that if the BIND9 port is built with the native-pkcs11 > option, it fails with: > > root@freebsd:~ # dnssec-keyfromlabel -l > 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' -a RSASHA256 -f KSK > -v3 -E /usr/local/lib/softhsm/libsofthsm2.so example.com > dnssec-keyfromlabel: fatal: failed to get key example.com/RSASHA256: built > with no crypto support => can you check the configure log? There was a bug (was = fixed now) in configure which can mess the crypto selection and can give no crypto at all (i.e., not OpenSSL nor PKCS#11).
# Mon, 26 Sep 2016 07:33:40 -0400 Stephen Morris <stephen@isc.org> - Priority P2 Normal added
# Mon, 26 Sep 2016 07:33:40 -0400 Stephen Morris <stephen@isc.org> - Severity S2 Normal added
# Mon, 26 Sep 2016 07:33:40 -0400 Stephen Morris <stephen@isc.org> - Area bug added
# Mon, 26 Sep 2016 07:33:41 -0400 Stephen Morris <stephen@isc.org> - Component BIND Server added
# Tue, 25 Jul 2017 11:29:08 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public