Re: PKCS#11 vs OpenSSL (BIND Future Development Question)
On Sun, Jun 03, 2018 at 06:00:08AM +, Ondřej Surý wrote: > The PKCS#11 interface is very fragile, as the different vendors implement > different parts of the > standard, and BIND needs to be compiled with a specific PKCS#11 provider > defined at the > compile time. This is certainly suboptimal, and we are looking at ways how > to improve that. My understanding was that you had to choose at compile time wether you needed PKCS#11 or OpenSSL, and that, even if you could link with a specific provider during the build, you could opt-out and start named with -E /path/to/engine.so. At least, it is the way it is done in the FreeBSD ports tree. -- Mathieu Arnold signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
problem with latest BIND9 9.11 from git
Hi,
(I'm not sure this is the right list for this, but I'm not sure where to
send it, or if it should go to the bug tracker, or if I should just shut up
because it's the bleading edge and I'm going to cut myself.)
Today, I updated the FreeBSD ports, so 9.9.9 and 9.10.4 went without a
hitch, but the bind9-devel port less so. I updated to the current head,
which is a27dc50, this is after dnssec-keymgr was added.
If I try to build with python, I first get this error:
making all in
/wrkdirs/usr/ports/dns/bind9-devel/work/bind9-a27dc50/bin/python/isc/tests
/usr/local/bin/python2.7 policy.py parse /dev/null > /dev/null
Generating LALR tables
/usr/local/bin/python2.7 -m parsetab
/usr/local/bin/python2.7 policy.py parse /dev/null > /dev/null
/usr/local/bin/python2.7 -m parsetab
make[5]: don't know how to make __init__.pyc. Stop
This is because the Makefile uses a GNUism, which is:
%.pyc: %.py
$(PYTHON) -m compileall .
So, I resisted the urge to ask a dependency on GNU make and I patched this
to:
.SUFFIXES: .py .pyc
.py.pyc:
$(PYTHON) -m compileall .
Which got me going a bit further, and then, it died on:
install -m 0644 ./dnssec-keymgr.8
/wrkdirs/usr/ports/dns/bind9-devel/work/stage/usr/local/man/man8
install: ./dnssec-keymgr.8: No such file or directory
It seems that man page was not generated and committed. I could add all
the docbook suite as a dependency but it seems overkill... :-/
So, to fix the build, I'm going to comment out the missing man page.
Also, right now, it installs all the .py{,c} files ${libdir} which is
/usr/local/lib, and I don't think it is a good thing.
--
Mathieu Arnold
pgpc0qEL2nh4k.pgp
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
+--On 30 mars 2015 17:13:15 -0700 Kevin Oberman rkober...@gmail.com wrote: | Note that chroot has just been re-enabled in the FreeBSD BIND ports. It's | not default, so you must select the CHROOT option. This was just | announced last week, and I am not sure the change has actually been | committed. There is no CHROOT options, there is a named_chrootdir rc variable to setup. And it has been committed. Trust me. -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
+--On 30 mars 2015 19:32:09 -0600 @lbutlr krem...@kreme.com wrote: | # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \ | -t /var/named | | Yes, that works without reporting any errors, so the issue appears to be | with /usr/local/etc/rc.d/named startup script. Well, your first post says you're using 8.4, so there should be no such script, it should be in /etc/rc.d. | syslogd_flags=-l /var/named/var/run/log | | to /etc/rc.conf and restarting syslogd may get you some better logging | information. | | Don’t see anything logged on either the startup or the failed startup. | | However, if I try to check rndc… | |# /usr/local/sbin/rndc status | rndc: neither /etc/rndc.conf nor /etc/rndc.key was found That's because you built named manually and not from ports, so it doesn't know where it should find its bits. | Now, it is true that there is no rndc.conf, but that is true all all | three name servers. There is a rndc.key in /var/named/etc/namedb/rndc.conf | | I’m not sure why it is looking in (I assume /var/named/etc instead of) | /var/named/etc/namedb. Because you built it manually so it did not get all the right configure options the port has. | is named_chrootdir=/var/named not correct? It is. -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
+--On 29 mars 2015 17:35:09 -0600 @lbutlr, krem...@kreme.com wrote: | Downloaded and compiled bind-9.9.7 (FreeBSD 8.4-RELEASE) and it built | fine (./configure make make install). What does the port version not do that you need ? | If I try to start named (service named start), it starts this version | instead of the version in /usr/local/sbin | | So I changed the path (in /etc/rc.conf) to /usr/local/sbin/named If you had installed the port, it would have told you that: * You will need to make sure that you have the following line * * in your /etc/rc.conf in order to have the startup script * * run the named version from the port: * ** * named_program=/usr/local/sbin/named* | But now I get: | | $ /etc/rc.d/named start | Starting named. | /etc/rc.d/named: WARNING: failed to start named | | But nothing is logged in /var/log/messages | | For now, I am pointing back to the old 9.8.4 version. Have you tried running it manually to see what it says ? -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
+--On 30 mars 2015 16:46:36 +0200 Daniel Ryslink
daniel.rysl...@dialtelecom.cz wrote:
| In 8.4., the default chroot for BIND is /var/named, you might want to use
| that. Please not that in FreeBSD 10, BIND is removed from system and
| replaced with Unbound as the default resolver, and the chroot in
| /var/named is gone, you have to make it manually.
That's not true, it's just not enabled by default, because it is a mess to
get *right* when migrating from {8,9} to 10.
| If you run Bind in chroot, you should have this in rc.conf:
|
| named_enable=YES
| named_flags=-t /var/named
Nope, you should use:
named_chrootdir=/var/named
| syslogd_flags=-s -l /var/named/dev/log
And I think that should be written as:
altlog_proglist=named
| Use the rc script /usr/local/etc/rc.d/named to start and stop the BIND
| process.
--
Mathieu Arnold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
+--On 30 mars 2015 19:12:30 +0200 Daniel Ryslink
daniel.rysl...@dialtelecom.cz wrote:
| That's not true, it's just not enabled by default, because it is a
| mess to
| get *right* when migrating from {8,9} to 10.
|
| On the contrary, see the FreeBSD 10 release notes:
|
| https://www.freebsd.org/releases/10.0R/announce.html
|
| Quote:
|
| - Unbound has been imported to the base system as the local caching DNS
| resolver.
|
| - BIND has been removed from the base system.
|
| As for my rc.conf directives, they may be obsolete, but they still work.
Ah, sorry, my not true was regarding the chroot thing.
--
Mathieu Arnold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
+--On 12 septembre 2014 09:11:08 +1000 John Marshall john.marsh...@riverwillow.com.au wrote: | I can't build BIND 9.10.1rc2 on recent FreeBSD 10-STABLE. | I have tried on both i386 and amd64 variants of the operating system. | BIND 9.10.1rc1 builds fine, as did the beta releases. | | Failure looks like this: | | making all in /build/bind/bind-9.10.1rc2/bin/python | make[3]: don't know how to make dnssec-checkds. Stop | | make[3]: stopped in /build/bind/bind-9.10.1rc2/bin/python | *** Error code 1 | | Stop. | make[2]: stopped in /build/bind/bind-9.10.1rc2/bin | *** Error code 1 | | Stop. | make[1]: stopped in /build/bind/bind-9.10.1rc2 | *** Error code 1 | | Tested on: | | FreeBSD 10.1-PRERELEASE #0 r271181: Sat Sep 6 14:12:21 AEST 2014 i386 | FreeBSD 10.1-PRERELEASE #0 r271289: Tue Sep 9 15:20:15 AEST 2014 amd64 | | Note: BIND 9.10.1rc1 builds happily on the above. | Note: BIND 9.10.1rc2 builds happily on FreeBSD 9.3-RELEASE amd64 | | Perhaps rc2 introduced something that upsets bmake (the make(1) used in | FreeBSD 10)? Yes, you can't use bmake if you try to build the python bits, I had to force gmake in the port: https://svnweb.freebsd.org/ports/head/dns/bind910/Makefile?annotate=367505#l119 -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
+--On 12 septembre 2014 08:58:18 -0500 Jeremy C. Reed jr...@isc.org wrote: | On Fri, 12 Sep 2014, Mathieu Arnold wrote: | | Yes, you can't use bmake if you try to build the python bits, I had to | force gmake in the port: | | It looks to be a bug in the NetBSD bmake used by FreeBSD. I cannot find | a bug report for it in FreeBSD. I opened one for NetBSD: | http://gnats.netbsd.org/49198x Well, to me, it looked like some syntax extension from gmake, so I did not bother looking at it more closely. -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 18:56:25 +0200 Mark Elkins m...@posix.co.za wrote: | On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote: |A new compile-time option, configure --enable-native-pkcs11, |allows the BIND 9 cryptography functions to use the PKCS#11 API |natively, so that BIND can drive a cryptographic hardware service |module (HSM) directly instead of using a modified OpenSSL as an |intermediary. This has been tested with the Thales nShield HSM |and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] | | | Has anyone tried this yet? - either using SoftHSM or a Thales HSM? | | I have access to a totally unconfigured Thales netShield Connect 500. | | Without reading *all* the manuals - anyone have a HowTo setup to make | one of these beasties talk PKCS#11... a Goto page XX is acceptable.. For the FreeBSD port for 9.10 that I'm currently writing (as the beta comes out) it seems you can only build it either with openssl or with native-pkcs11, which is a bit strange. As for trying it, no, making it compile is already somewhat a challenge... -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 17:51:33 + Evan Hunt e...@isc.org wrote: | This new code uses pkcs11 for all crypto, instead of using openssl as a | shim. So yes, you can build with either native pkcs11 or openssl, but | not both. Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this seems a silly question.) Also, from your example, it seems the pkcs11 library is a build time thing, could it be a runtime configuration so that we can provide an agnostic package and then you just need to point BIND to the right .so in its configuration ? And does OpenSSL provide a pkcs11 interface ? (To know if I could switch the default BIND package from using openssl to using openssl through pkcs11) Regards, -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 12:36:32 -0700 Doug Barton do...@dougbarton.us wrote: | On 03/17/2014 12:29 PM, Mathieu Arnold wrote: | Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if | this seems a silly question.) | | HSMs are typically an auth-only tool, although I suppose that in a | super-high-security environment that they could be justified for | validation ... it would be interesting to see a requirements doc on what | the HSM would need to provide to do that. Yes, it was my understanding of how HSM worked. That's why I was trying to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one side, and PKCS11 interface for zone signing on the other. -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 is now available
+--On 17 mars 2014 14:43:36 -0700 Doug Barton do...@dougbarton.us wrote: | On 03/17/2014 01:06 PM, Evan Hunt wrote: | On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: | Yes, it was my understanding of how HSM worked. That's why I was trying | to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation | on one side, and PKCS11 interface for zone signing on the other. | | I'd advise doing that with two separate BIND instances -- sign using | pkcs11 (possibly on a hidden master) and keep that separate from your | recursion/validation. | | Evan, I think that Mathieu understands that from a proper DNS | functionality perspective. What he's struggling with is that the way | FreeBSD ports are set up they don't really have a flag for This | configuration of options will give you an authoritative-only server that | you cannot use for general purpose recursion/validation within a | specific set of options for the general purpose port. | | Mathieu, if I may, what I would do in this situation is create a slave | port for the HSM compile options, and put some sort of warning | (pre-compile, pkg-message, or both) that clearly indicates to the user | that this configuration is limited to auth-only. That's the least painful | way I can think of to deal with it off hand. You may come up with a more | creative solution. Well, I'm going to put a radio button for people to use the native PKCS11 or OpenSSL, and maybe create a slave port enabling the PKCS11 by default. And add warnings telling people that this BIND can't be used as a validating resolver. (it's not auth only, I assume it can still resolve, but not validate.) On the other hand, if the HSM selection has to be done at compile time, like Evan suggest, and not at runtime through a named.conf directive, it's a bit pointless, the only HSM we have in the ports collection being SoftHSM. Regards, -- Mathieu Arnold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
