Singing a RRSET
Hi, We need to sign a RRSET individually out of the zone file. The utilities dnssec-signzone and similars from other packages check the zone before signing (SOA RR, DNSKEY RR, etc). Before to do a piece of programa to do this, we wanted to know if there is any tool to sign just a RRSET ? Thanks in advance -- Sergio R. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
Yes, ./configure --enable-threads --with-openssl=/usr/local/ssl --with-pkcs11=/usr/lunapci/lib/libCryptoki2.so In /usr/local/ssl directory is the patched (vendor + bind) openssl. A detail: the openssl version 1.0.0e and the bind patch is for 1.0.0f -- Sergio R. - Mensaje original - De: Billy Glynn billy.gl...@iedr.ie Para: bind-users@lists.isc.org Enviados: Lunes, 17 de Febrero 2014 9:32:44 Asunto: Re: Using a HSM card to sign zone Did you configure bind with the patched version of openssl ? On 14 Feb 2014, at 19:43, Sergio Ramirez srami...@seciu.edu.uy wrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
pc1# /usr/local/ssl/bin/openssl engine (dynamic) Dynamic engine loading support (4758cca) IBM 4758 CCA hardware engine support (aep) Aep hardware engine support (atalla) Atalla hardware engine support (cswift) CryptoSwift hardware engine support (LunaCA3) Luna CA3 engine support (chil) CHIL hardware engine support (nuron) Nuron hardware engine support (sureware) SureWare hardware engine support (ubsec) UBSEC hardware engine support (padlock) VIA PadLock (no-RNG, no-ACE) (gost) Reference implementation of GOST engine pc1# pc1#/usr/local/ssl/bin/openssl engine LunaCA3 -t (LunaCA3) Luna CA3 engine support [ available ] pc1# In the openssl.cnf we have: --- [ Openssl_init ] # Extra OBJECT IDENTIFIER info: oid_section = new_oids engines = engine_section [ engine_section ] LunaCA3 = luna_section [ luna_section ] dynamic_path = /usr/lunapci/lib/libCryptoki2.so --- It is required that there is a section labeled 'pkcs11' to use from bind or dnssec-* commands ? -- Sergio R. - Mensaje original - De: Alan Clegg a...@clegg.com Para: bind-users@lists.isc.org Enviados: Domingo, 16 de Febrero 2014 9:33:21 Asunto: Re: Using a HSM card to sign zone On 2/14/14, 10:43 PM, Sergio Ramirez wrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. I'm not familiar with that HSM, but have used both Thales and AEP with no problem. Does openssl engine show pkcs11? If so, does openssl engine pkcs11 -t show that the engine is available? Having played with OpenSSL patches over the last few days, I can tell you that when it works, it works well, but when it fails, you are pretty much out-of-luck as far as error messages go. 8-\ AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Using a HSM card to sign zone
Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SIBLING GLUE address records (A or AAAA)
Hi, In the following example, the authoritive server for zone .xx has configured the delegations of the zones example.xx and otherexample.xx: example.xx NS ns1.example.xx example.xx NS ns2.example.xx ns1.example.xx A 11.22.33.44 ns2.example.xx A 11.22.33.55 otherexample.xx NS ns3.example.xx otherexample.xx NS ns4.example.xx the bind report these messages: ns3.example.xx has no SIBLING GLUE address records (A or ) ns4.example.xx has no SIBLING GLUE address records (A or ) because the glue records are not configured in the zone .xx, for ns3.example.xx and ns4.example.xx Are these glue records requiered ? I understand that is not. Is this right ? Regards, -- Sergio R. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SIBLING GLUE address records (A or AAAA)
Thanks for the answer Ben, I agree. But the problem is if the administrator of zone example.xx decides to change the ip address of the ns3.example.xx and ns4.example.xx, the glue records will be wrong. -- Sergio R. Ben Croswell escribió: I would imagine the answer will be that they aren't required but would be helpful. Since the parent .xx is delegating to the second-level domains, if you do glue for all four DNS servers you are preventing a remote DNS server from having to go to the servers for example.xx to get the A records for the DNS servers for otherexample.xx. On Mon, Oct 5, 2009 at 3:59 PM, Sergio Ramirez srami...@seciu.edu.uy mailto:srami...@seciu.edu.uy wrote: Hi, In the following example, the authoritive server for zone .xx has configured the delegations of the zones example.xx and otherexample.xx: example.xx NS ns1.example.xx example.xx NS ns2.example.xx ns1.example.xx A 11.22.33.44 ns2.example.xx A 11.22.33.55 otherexample.xx NS ns3.example.xx otherexample.xx NS ns4.example.xx the bind report these messages: ns3.example.xx has no SIBLING GLUE address records (A or ) ns4.example.xx has no SIBLING GLUE address records (A or ) because the glue records are not configured in the zone .xx, for ns3.example.xx and ns4.example.xx Are these glue records requiered ? I understand that is not. Is this right ? Regards, -- Sergio R. ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -Ben Croswell ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users