native pkcs#11 and dynamic signing issues

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

native pkcs#11 and dynamic signing issues

arun
Running bind 9.10.3-7.P2, with softhsm-2.0.0rc1-3 on Fedora 23.


I was able to sign the zones with dnssec-signzone-pkcs11 command line,


# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked


but with dynamic signing the logs were showing  "dns_dnssec_findmatchingkeys: error reading key file Kexample.com.+008+01234.private: no engine"


Zone configuration:
zone "example.com" IN {
        type master;
        file "zones/example.com";
        auto-dnssec maintain;
        inline-signing yes;
};


# rndc sign example.com
received control channel command 'sign example.com'
zone example.com/IN (signed): reconfiguring zone keys
dns_dnssec_findmatchingkeys: error reading key file Kexample.com.+008+01234.private: no engine
dns_dnssec_findmatchingkeys: error reading key file Kexample.+008+05678.private: no engine
zone example.com/IN (signed): next key event: 21-Jan-2016 13:36:59.184

any idea?

Thanks,
Arun




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: native pkcs#11 and dynamic signing issues

Tony Finch
Arun N S <[hidden email]> wrote:
>
> but with dynamic signing the logs were showing
>  "dns_dnssec_findmatchingkeys: error reading key file
> Kexample.com.+008+01234.private: no engine"
>
> any idea?

Wild guess (I know nothing about PKCS#11): are you running chrooted, and
if so is the relevant OpenSSL engine plugin in usr/lib/engines in the
chroot?

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale 8
later. Moderate or rough, occasionally slight at first. Showers, then rain.
Good, occasionally moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: native pkcs#11 and dynamic signing issues

arun
Thanks for the response.

My understanding is that, when you use native pkcs#11 it is not dependent on the openssl engine. But yes the bind is chrooted. I tried to run it without chroot and still got the same issue. The private key reference file created by dnsseckey-fromlabel has the Engine defined as "Engine: cGtjczExAA=="

--
arun


On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch <[hidden email]> wrote:
Arun N S <[hidden email]> wrote:
>
> but with dynamic signing the logs were showing
>  "dns_dnssec_findmatchingkeys: error reading key file
> Kexample.com.+008+01234.private: no engine"
>
> any idea?

Wild guess (I know nothing about PKCS#11): are you running chrooted, and
if so is the relevant OpenSSL engine plugin in usr/lib/engines in the
chroot?

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale 8
later. Moderate or rough, occasionally slight at first. Showers, then rain.
Good, occasionally moderate.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: native pkcs#11 and dynamic signing issues

arun
The issue is fixed. 

I was using the default named daemon, which is not aware of the native pkcs#11 compiled in. Started named-pkcs11 fixed a couple of permission issues, and it worked.

# rndc sign example.com
received control channel command 'sign example.com'
zone sa/IN (signed): reconfiguring zone keys
# zone example.com/IN (signed): next key event: 24-Jan-2016 12:29:40.234
zone example.com/IN (signed): sending notifies (serial 2016012006)

--
arun



On Thu, Jan 21, 2016 at 1:08 PM, Arun N S <[hidden email]> wrote:
Thanks for the response.

My understanding is that, when you use native pkcs#11 it is not dependent on the openssl engine. But yes the bind is chrooted. I tried to run it without chroot and still got the same issue. The private key reference file created by dnsseckey-fromlabel has the Engine defined as "Engine: cGtjczExAA=="

--
arun


On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch <[hidden email]> wrote:
Arun N S <[hidden email]> wrote:
>
> but with dynamic signing the logs were showing
>  "dns_dnssec_findmatchingkeys: error reading key file
> Kexample.com.+008+01234.private: no engine"
>
> any idea?

Wild guess (I know nothing about PKCS#11): are you running chrooted, and
if so is the relevant OpenSSL engine plugin in usr/lib/engines in the
chroot?

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale 8
later. Moderate or rough, occasionally slight at first. Showers, then rain.
Good, occasionally moderate.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users