December 3, 2007

DNSSEC Enthusiasts-

Here is my second version of modifications to BIND for native PKCS11 HSM support (first released June 14 2007 on dnssec-deployment@shinkuro.com).  The vast majority of changes to BIND are restricted to one file (lib/dns/opensslrsa_link.c).  Included are a number of HSM utilities that should also work with any HSM with PKCS11 support such as private key backup using C_Wrap/C_Unwrap.  The archive is in fact a snapshot of what IANA is using in its demo DNSSEC system.   I hope it is helpful. Feel free to use it or pieces of the code as you please.  Contact me if you have any questions and I will try to help.

I. How to build and test PKCS11 HSM tools:

1. If you have not done so already, install and configure the PKCS11 library for your HSM.

If first time using this HSM this typically includes:
a. copying the pkcs11 library into a directory

b. enable the HSM

c. initialize the HSM

Otherwise:

a. just enable the HSM

2. Set environment variables:
Edit "hsmconfig" to set PKCS11_LIBRARY_PATH to where you put the HSM pkcs11 shared library and edit any other variables needed by your particular HSM.  Then run:
 ". hsmconfig" to set the environment variables.  My HSM tools and BIND mods will use PKCS11_LIBRARY_PATH to determine what library to load.

3. Compile the tools:
  wget http://www.xtcn.com/~lamb/pkcs11HSMtools.tar.gz
  tar zxf pkcs11HSMtools.tar.gz
  ./keygenbuild

4. Test
  ./pkcs11-backup -l
(after asking for the HSM PIN, this should list the keys in the HSM)

or

  ./pkcs11-random 10 randombytes
(to use the HSM to put 10 random bytes into a file called "randombytes")


II. To build pkcs11 modified BIND:

1. Build
   wget http://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz
   tar zxf bind-9.4.1-P1.tar.gz
   mv bind-9.4.1-P1 bind-9.4.1-P1.pkcs11
   wget http://www.xtcn.com/~lamb/bind-9.4.1-P1.pkcs11.diff
   patch -p0 < bind-9.4.1-P1.pkcs11.diff
   cd bind-9.4.1-P1.pkcs11
   ./configure
   make


2. To test:
$ bin/dnssec/dnssec-keygen -P 123456 -a RSASHA1 -b 1024 -n ZONE ip6.arpa
Kip6.arpa.+005+24727

this will generate two (2) files:
Kip6.arpa.+005+24727.key Kip6.arpa.+005+24727.private
(of course the tag id, 24727, will be different for each new key generation)

the contents of Kip6.arpa.+005+24727.key : (the usual dnssec-keygen output)
ip6.arpa. IN DNSKEY 256 3 5 AwEAAeUUHWIG+nkRRKH6mXtrtll7CgIkqDrKCs8WN9By2OZMH5h6J3jn Q8PEKPhkb8TZOi6z2jYMNzXckzEzKPBFYytg03lBRvW1AmzmkZf3nas8 xpUU7cB1hv4xi5Ry9rnV7PZwpPtmujToOCHb3hUhXmby4DQx77byRHVV V9O/stRL

and the contents of Kip6.arpa.+005+24727.private:
Private-key-format: xxx
slot:0
pin:
id:46
label:K24727

this is different from the normal BIND behaviour and contains only the key label with in the HSM and other location information. This information will be used by dnssec-signzone to instruct the HSM to sign records while ensuring the private key is never available in unencrypted form.

To continue with testing dnssec-signzone:
$ cp ip6.arpa.zone zonefile
$ cat Kip6.arpa.+005+24727.key >> zonefile
$ bin/dnssec/dnssec-signzone -P 123456 -o ip6.arpa zonefile Kip6.arpa.+005+24727
dnssec-signzone: warning: zonefile:435: using RFC1035 TTL semantics
zonefile.signed

"zonefile.signed" is the ZSK signed zonefile.

Thats it.

III. dnssec-keygen and dnssec-signzone behaviour modifications:

1. Addition of "-P PIN" for unattended key generation and signing operation using an HSM. Without it, the programs will ask for a PIN. Small mod to bin/dnssec/dnssec-keygen.c and bin/dnssec/dnssec-signzone.c to accomodate -P option.

2. The PKCS11 HSM will only be used if the environment variable PKCS11_LIBRARY_PATH is defined as it is in "hsmconfig".  Otherwise, dnssec-keygen and dnssec-signzone should behave normally.

