X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.27 MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 References: <546678C0.6040008@redhat.com> Message-ID: <5473A65B.5040903@redhat.com> Content-Type: text/plain; charset=utf-8 Organization: Red Hat X-RT-Original-Encoding: utf-8 Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id 3667D2D20571 for ; Mon, 24 Nov 2014 21:42:58 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.redhat.com", Issuer "DigiCert SHA2 Extended Validation Server CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 99A261FCA9F for ; Mon, 24 Nov 2014 21:42:55 +0000 (UTC) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAOLgrp8001155 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 24 Nov 2014 16:42:53 -0500 Received: from pspacek.brq.redhat.com (vpn1-6-247.ams2.redhat.com [10.36.6.247]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sAOLgpcR031819 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 24 Nov 2014 16:42:52 -0500 Delivered-To: bind-suggest@bugs.isc.org Subject: Re: [ISC-Bugs #37814] PKCS#11 support for TSIG algorithms User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 Return-Path: X-Original-To: bind-suggest@bugs.isc.org Date: Mon, 24 Nov 2014 22:42:51 +0100 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org To: bind-suggest@isc.org Content-Transfer-Encoding: 8bit From: Petr Spacek RT-Message-ID: Content-Length: 1904 Hello, and thank you for your answer! On 15.11.2014 00:20, Francis Dupont via RT wrote: > I am currently out of my office (~12000 km) and > I'll go back in some hours, so I apologise for > the likely delay for a detailed answer. > > BTW there is a new PKCS#11 standard (specs > still required a final vote, include files are not > yet available) but it won't change something as > HMAC has been covered since a long time. > > The native PKCS#11 supports *all* the standard > crypto functions needed by named, including hash > and HMAC. So there is nothing to change on this side. > > If I understand well you'd like to put secrets in the HSM. Yes, exactly. > Currently this is supported only for RSA and ECDSA > key pairs (look for a fromlabel methos in dst_funct > arrays. Note for OpenSSL only RSA keys are supported > (sound as ECC is not supported by the PKCS#11 > OpenSSL engine). I'm thinking more about direct/native PKCS#11 support. OpenSSL's PKCS#11 engine never worked for me and generally with standard Red Hat packages ... > Anyway it seems reasonable to extend fromlabel to > HMAC secrets as HMAC is already in the DST stuff. > Now I need the opinion of my colleagues if the result > will be to get a PKCS#11 specific feature. > > Note I don't yet fully understand your point about > rndc tsig-list. I am afraid the current only way to > configure TSIG keys (aka secrets) is to put them > in the named config file... Surely something which > requires ASAP improvements... You understand me perfectly. I was making the point that TSIG keys stored in key files (produced by dnssec-keygen) located in "keys-directory" are ignored by named and and are not usable in zone "update-policy". Maybe this could be a way how to separate keys from named config file and to allow dynamic key management at run-time (with an equivalent of rndc loadkeys for these TSIG keys). -- Petr^2 Spacek