1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
How to use site.h for the PKCS#11 provider of your HSM
------------------------------------------------------
First run "pkcs11-tokens" (in bin/pkcs11). This tool is built when BIND9
is configured with the --with-pcks11 flag. It prints the addresses of
selected tokens per algorithm:
- random number generation
- RSA (sign/verify)
- DSA (sign/verify)
- DH (secret derivation)
- digest (hash)
- EC (ECDSA, sign/verify)
- GOST (Russian hash and sign/verify)
- AES (encrypt/decrypt)
...and a summary of PKCS#11 tokens that have been found.
Current well-known HSMs are predefined in site.h according to HSM "flavors":
- Thales nCipher (default)
- OpenDNSSEC SoftHSMv2
...and with experimental status:
- OpenDNSSEC SoftHSMv1 with SHA224 support added
- Cryptech
- AEP Keyper
If BIND9 is configured with native PKCS#11 support (--enable-native-pkcs11),
then pkcs11-tokens will raise an error when a mandatory algorithm is not
supported. (The usual error is 0x70, or CKR_MECHANISM_INVALID; 0x0
indicates that a required flag is not available.) The following steps
may be taken, depending on which algorithms indicate failures:
- rand or RSA: nothing can be done; native PKCS#11 is not supported
in BIND9 with this HSM.
- DSA or DH: run pkcs11-tokens with the -v (verbose) flag. If the
parameter generation mechanism is not supported you can make the token
selection to ignore the error. Note DSA and DH are not critical
algorithms; you can use BIND9 in production without them.
- digest: run pkcs11-tokens with the -v (verbose) flag. If the problem is
with HMAC mechanisms, use the corresponding REPLACE flags in site.h.
If the problem is with MD5, use the corresponding DISABLE flag in
site.h. If the problem is with SHA224, contact the implementor of the
PKCS#11 provider and ask to have this hash algorithm implemented. For
any other problem, nothing can be done; native PKCS#11 is not supported
with this HSM.
- EC: you may wish to configure BIND9 without ECDSA support by adding
--without-ecdsa to the "configure" arguments.
- GOST: you SHOULD configure BIND9 without GOST support by adding
--without-gost to the "configure" arguments.
- AES: you MUST reconfigure bind9 without AES support by adding
--without-aes to configure arguments.
You can disable some algorithms (e.g. DSA, DH and MD5) using the
"disable-algorithms" option in named.conf, and some other algorithms can be
disabled at compile time (ECDSA, GOST, AES). Note, however, that disabling
algorithms can have unwanted side effects; for instance, disabling DH breaks
TKEY support.
A final note: the DISABLE flags in site.h work for OpenSSL code too, but
this feature is not officially supported yet and should not be relied on.
|
