Integration GuideBind 9Linux 3.19, Microsoft Windows Server 2008

Integration Guide: Bind 9

Imprint

copyright 2016 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany

phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail support-cs@utimaco.comdocument version 1.2.1date January 2016author System Engineering HSMdocument no. SGCS_IG_BIND9

all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.

Contents1 Introduction 4

1.1 Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Requirements 5

2.1 Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Installation 6

3.1 Install CryptoServer Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.2 Install CryptoServer Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Procedures 7

4.1 Configure PKCS#11 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.1.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.1.2 Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.1.3 Adjust Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.2 Test PKCS#11 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.3 Patch and Build OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.3.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.3.2 Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.4 Install BIND Domain Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.4.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.4.2 Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Generate Keys and Sign a Domain Zone 14

5.1 ReSigning Domain Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6 Further Information 16

Integration Guide: Bind 9

1 IntroductionThis paper provides an integration guide explaining how to integrate a Hardware Security Module

(HSM) - CryptoServer - with the BIND 9.10 server on a Linux or Microsoft Windows operating system

platform. Configuration details - especially to domain name system configuration - that goes beyond

normal configuration for the integration of hardware security module are not explained in this docu-

ment. For further information to configure and setup BIND for a domain name system, it is referred

to the documents and information of ISC1.

1.1 ConceptsThe Domain Name System (DNS) is a hierarchical naming system built on a distributed database

for computers, services, or any resource connected to the Internet or a private network. Most im-

portantly, it translates domain names meaningful to human-readable identifiers into the numerical

identifiers associated with networking equipment for the purpose of locating and addressing these

devices worldwide. Often the Domain Name System is compared with the phone book of the world-

wide internet. The original design of the Domain Name System did not include any security. Instead,

it was developed as a simple scalable distributed system.

The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintain-

ing backwards compatibility to the existing Domain Name System. The RFC 3833 attempts to doc-

ument some of the known threats to the DNS and how DNSSEC tries to responds to those threats.

DNSSEC was designed to protect Internet resolvers from forged DNS data, such as that created by

e.g. DNS cache poisoning. All answers from DNSSEC enabled domain name system are digitally

signed. By verifying the digital signature, a DNS resolver is able to check if the information is correct

and complete to the information on the authoritative domain name server. While protecting IP ad-

dresses is the immediate concern for many users, DNSSEC can protect other information such as

general-purpose cryptographic certificates too. Basically cryptographic keys are used to sign domain

name related information’s. The keys require extensively protection against being stolen or corrupted.

A hardware security module is the best solution in maintaining highest security and performance for

the protection of those keys.

1ISC - http://www.isc.org

Page 4

2 RequirementsEnsure that you have a copy of the CryptoServer Administration Guide [?] and the CryptoServer PKCS#11

Interface [?]. You should also have prepared an installed Linux operating system (for this guide, Ubuntu

15.04). If you are using PCI(e) card also compile and install the necessary driver for that card. This

guide assumes that a Ubuntu based Linux distribution or Microsoft Windows Server 2008 is used.

Software- and Hardware Requirements

HSMModel CryptoServer CS-Series/S-Series/Se-Series PCI

CryptoServer CS-Series/S-Series/Se-Series LAN

CryptoServer Simulator CS/Se

HSM Firmware CryptoServer 2.50

Software CryptoServer 2.50

Linux 3.19 (Ubuntu 15.04 amd64)

Microsoft Windows Server 2008 x86

2.1 Supported Operating SystemsFor the interoperability of the CryptoServer solution, operating systems, Bind and OpenSSL have been

tested successfully for the following combinations:

Operating

System

CryptoServer

Version

Bind OpenSSL PCI Support Ethernet Sup-

port

Windows

Server 2008

Enterprise

x86

2.30.2 9.7.2-P3 0.9.8i Yes Yes

Debian 4.1.2

x86/amd64

2.50 9.7.2-P3 0.9.8i Yes Yes

Ubuntu 15.04

x86/amd64

3.21 9.10.2-P1 1.0.1j Yes Yes

Page 5

Integration Guide: Bind 9

3 InstallationThe installation of the CryptoServer in preparation for integration with Bind consists of two parts:

• Install CryptoServer Hardware

• Install CryptoServer Software

3.1 Install CryptoServer HardwareFor more information on commonly installing and setting up CryptoServer PCI or LAN, see the docu-

mentation CryptoServer CryptoServer PCI / (LAN) Installation & Operating manual. There is no need to

install any software specific for running CryptoServer.

3.2 Install CryptoServer SoftwareTheCryptoServer software - this includes administrative tools and library software - has to be installed

on your computer system manually on Linux based system. To install the necessary PKCS#11 li-

braries it is referred to the CryptoServer PKCS#11 Interface and SafeGuard CryptoServer - PKCS#11 (R2)

Development Guide document. Further PKCS#11 related configuration steps for the integration are

explained in the next chapter’s.

Page 6

4 ProceduresThe steps to integrate the CryptoServer in BIND with Linux or Microsoft Windows are a little different.

In places where the description of the integration steps may differ, the individual steps are explained

in separate chapters.

To integrate the CryptoServer with BIND domain name server (named) in context of DNSSEC secured

environment you need follow these steps:

1. Configure PKCS#11 environment

2. Test PKCS#11 environment

3. Patch and Build OpenSSL

4. Install BIND Domain Name Server

5. Generate Keys and Sign a Zone

4.1 Configure PKCS#11 EnvironmentThe location of library and configuration file differs on Linux andMicrosoftWindowsoperating system.

Therefore the procedures to setup the PKCS#11 respectively PKCS#11 R2 environment is described

separately.

4.1.1 Linux

The PKCS#11 library and configuration files for Linux operating system have to be installed manually.

For further installations steps it is referred to QuickStart Guide PKCS#11 [?].

4.1.2 Microsoft Windows

With the installation of the CryptoServer software the necessary libraries, tools and configuration file

cs2_pkcs11.ini have been installed on your Microsoft Windows system. An environment variable has

been also set up and is refering to the configuration file.

4.1.3 Adjust Configuration File

The CryptoServer device specifier to address the CryptoServer device has to be adjusted in your con-

figuration file to use the PKCS#11 (R2) library. Open the configuration cs2_pkcs11.ini respectively

Page 7

Integration Guide: Bind 9

cs_pkcs11_R2.cfg with an editor of your choice and find the device parameter of the CryptoServer sec-

tion. Change the value to one of these values in accordance to your CryptoServer hardware.

• IP address of your device (e.g. 192.168.0.42)

This device specifier is used for network attached devices. Further details to setup the ip ad-

dress of your device can be found in CryptoServer LAN Operating & Installation Manual.

• /dev/cs2

This device specifier addresses a local installed PCI or PCIe device. An installed device driver is

necessary to open a connection. Further details to setup the driver can be found in CryptoServer

PCI(e) Operating & Installation Manual.

For debugging purposes change the parameter Logging from value 0 which means no logging to 15

respectively 5 for PKCS#11 R2 to provide full logging details.

4.2 Test PKCS#11 EnvironmentThe p11tool respectively p11tool2 is an administration command line tool to manage PKCS#11 and

PKCS#11 R2 related issues for the CryptoServer. Check if your PKCS#11 environment has been

configured and installed correctly by performing ListSlots command of p11tool respectively p11tool2.

The output should display a listing of available PKCS#11 slot numbers.

0: 00000000

1: 00000001

2: 00000002

3: 00000003

4: 00000004

Listing 1: ListSlots

Initialize a PKCS#11 slot to store the necessary cryptographic keys used for DNSSEC later in this

document.

PKCS#11

# p11tool slot=0 InitToken=123456

# p11tool slot=0 LoginSO=123456 InitPin=utimaco123

PKCS#11 R2

Page 8

# p11tool2 Login=ADMIN,:cs2:cyb:USB0 slot=0 InitToken=123456

# p11tool2 slot=0 LoginSO=123456 InitPin=utimaco123

Here the InitPin parameter determines the PKCS#11 user pin of a slot. This pin will be used later in

this document for the PKCS#11 user authentication.

4.3 Patch and Build OpenSSLBuilding OpenSSL from source code will enable PKCS#11 support. As BIND uses OpenSSL for its

cryptographic operations BIND will also be able to use PKCS#11 as cryptographic interface. The

source code of OpenSSL needs to be patched to enable OpenSSL to interface with PKCS#11. The

patch is bundled with the BIND source code. Download and extract the sources for OpenSSL 2 and

Bind 93 first.

4.3.1 Linux

1. Apply the patch

• Bind 9.7.2

./bind-9.7.2-P3/bin/pkcs11/openssl-0.9.8l-patch toOpenSSLby switching to the

OpenSSL directory and running the command

# patch -p1 < path-to/openssl-0.9.8l-patch

• Bind 9.10.2

./bind-9.10.2-P1/bin/pkcs11/openssl-1.0.1j-patch to OpenSSL by switching to

the OpenSSL directory and running the command

# patch -p1 < path-to/openssl-1.0.1j-patch

2. Configure OpenSSL on 32 bit machine

# ./Configure linux-generic32 -m32 -pthread \

--pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \

--pk11-flavor=crypto-accelerator \

--prefix=/opt/openssl-p11

2OpenSSL - http://www.openssl.org/source/3Bind 9 - http://www.isc.org/software/bind

Page 9

Integration Guide: Bind 9

If you are on a 64 bit machine configure OpenSSL via

# ./Configure linux-x86_64 \

--pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \

--pk11-flavor=crypto-accelerator \

--prefix=/opt/openssl-p11

The given pk11-libname parameter points to the path of the PKCS#11 library, pk11-flavor de-

termines which kind of PKCS#11 engine (provided by the patch) is used - sign-only or crypto-

accelerator and the prefix parameter points to the directory where the libraries are located after

the installation.

3. Build and test OpenSSL

# make

# make test

If some errors occur at this point, recheck the configuration.

4. Check the availability of the engine by running the command

# ./apps/openssl engine pkcs11 -t

5. Install OpenSSL binary

# make install

To make the modified OpenSSL suite available in /opt/openssl-p11 as specified during the

configuration.

4.3.2 Microsoft Windows

1. Apply the patch located at ”bind-9.7.2-P3\bin\pkcs11\openssl-0.9.8l-patch” to OpenSSL. There-

fore a Linux environment like Cygwin is required to have the ”patch” utility available. Switch to

the OpenSSL directory and execute command:

# patch -p1 < path-to/openssl-0.9.8l-patch

2. Configuring and building OpenSSL requires Perl installed. This guide uses ActivePerl-5.12.24

4ActivePerl-5.12.2 - http://www.activestate.com/activeperl/downloads

Page 10

3. Additionally Microsoft Visual Studio is required to build OpenSSL and BIND. Microsoft Visual

Studio 2005 (Visual Studio 8) with Service Pack 1 and Service Pack 1 Update for Windows

Vista5 is used here.

4. Set necessary environment variables for running Visual Studio from the command line, run the

following command from the command line:

”C:\Program Files\Microsoft\Visual Studio 8\Common7\

Tools\vsvars32.bat”

5. Configure OpenSSL as follows:

cd openssl-0.9.8l

perl Configure VC-WIN32 \

--pk11-libname=c:/windows/system32/cs2_pkcsll.dll \

--pk11-flavor=crypto-accelerator

The given pk11-libname parameter points to the path of the PKCS#11 library, pk11-flavor de-

termines which kind of PKCS#11 engine (provided by the patch) is used - sign-only or crypto-

accelerator. The optional prefix parameter would point to the directory where the libraries and

the OpenSSL configuration file are additionally copied during the installation of OpenSSL.

6. Build OpenSSL with these command line tools

ms\do_masm

nmake -f ms\ntdll.mak

7. Check the availability of the engine before you install BIND running the command:

out32dll\openssl.exe engine pkcs11 -t

If the previuous check isn’t successfully, test the accessibility of the PKCS#11 slot first.

p11tool slot=0 GetSlotInfo

The folder out32dll now contains the PKCS#11 enabled OpenSSL libraries for BIND.

8. Make the modified OpenSSL suite available in c:\usr\local\ssl or to the directory specified by

the prefix parameter in configuration by running the command:

nmake -f ms\ntdll.mak install

5Service Pack 1 and Service Pack 1 Update for Windows Vista - http://support.microsoft.com/kb/929470

Page 11

Integration Guide: Bind 9

4.4 Install BIND Domain Name ServerBesides to haveOpenSSL compiled fromsources it is alsomandatory to compile BIND from it’s source

files. This will enable BIND to use PKCS#11 enabled hardware for cryptographic operations. Since it

is determined during the configuration of BINDwhere theOpenSSL andPKCS#11 libraries are located,

you have to provide the location of the OpenSSL libraries created in chapter 4.3. Next configure and

install BIND.

4.4.1 Linux

1. Configure BIND on a 32 bit machine

# ./configure CC=”gcc -m32” -enable-threads \

--with-openssl=/opt/openssl-p11 \

--with-pkcs11=/usr/lib/cryptoserver/libcs2_pkcs11.so

If you are on a 64 bit machine configure BIND via

# ./configure CC=”gcc -m64” -enable-threads \

--with-openssl=/opt/openssl-p11 \

--with-pkcs11=/usr/lib/cryptoserver/libcs2_pkcs11.so

2. Set the environment variable LD_LIBRARY_PATH to the path of the PKCS#11 library

# export LD_LIBRARY_PATH=/usr/lib/cryptoserver

3. Build and install BIND

# make

# make install

4.4.2 Microsoft Windows

1. To set the path to the PKCS#11 library run the following script:

cd bind-9.7.0\win32utils

perl setpk11provider.pl /windows/system32/cs2_pkcs11.dll

After the installation of BIND it is still possible to specify the path manually.

Page 12

2. Build BIND binaries

BuildAll.bat

Among others it prepares the contents of Build\Release directory for BIND installation withmod-

ified OpenSSL libraries.

3. Install BIND from the Build\Release folder

Further steps usually concern general configuration of DNS and are not a part of the document.

Page 13

Integration Guide: Bind 9

5 Generate Keys and Sign a Domain ZoneIn this chapter we generate a zone-signing key (ZSK) and a key-signing key (KSK) using the tools

pkcs11-keygen and dnssec-keyfromlabel provided by BIND and use them to sign a domain zone. The

first tool is used to actually generate the keys in HSM and the second tool generates the key files for

BIND containing a public key and an identifier of the actual private key. Since slot 0 is the only one

we initialized in chapter 4.2 so far, we will choose this for BIND configuration now.

1. Run the following commands to generate a zone-signing key and a key-signing key

# pkcs11-keygen -b 2048 -l ksk

# pkcs11-keygen -b 1024 -l zsk

The parameter -b specifies the key size and -l the label of the key pair. Since the library path was

exported, it is not necessary to specify it using the parameter -m (module) any more. You will

be prompted to enter the user pin for the PKCS#11 slot.

2. Switch to the default folder for zone files and generate the key files for BIND

# dnssec-keyfromlabel -l ksk -f KSK utimaco.com

# dnssec-keyfromlabel -l zsk utimaco.com

The parameter -l specifies the label again and after -f follows the key flag. The key files are

generated for a specific zone which in this case is ”utimaco.com”. Now you should find the cor-

responding key files in the current directory which are composed of K<zone name>.+<numeric

representation of the key file>+<key identifier>.(key|private). It is not necessary to add the -E

(engine) parameter here because BIND was build with the -with-pkcs11 option in the first place.

This sets the CryptoServer PKCS#11 engine to default.

3. Before you can sign a zone, it is necessary to add the contents of both K*.key files or to include

them by reference - using the key file names - to the zone master file. Open the zone file and

add the following lines e.g.

$include Kutimaco.com.+005+35677.key

$include Kutimaco.com.+005+63263.key

4. Finally sign the zone

Linux

Page 14

# dnssec-signzone -S -o <zone name> <zone file>

Microsoft

# dnssec-signzone -E pkcs11 -S -o <zone name> <zone file>

You don’t need to specify the key files here because ”smart signing” is activated with the -S parameter

which enables automatic search for key files. The signed domain zone file is now located in the

current folder.

5.1 ReSigning Domain ZonesPreviously you have seen how to manually sign a domain zone. This also includes generating neces-

sary keys. These keys have to be periodically changed. Normally this will make manual intervention

necessary. BIND is also able to automatically resign domain zones. You can configure named to

dynamically re-sign zones or new records inserted via nsupdate. Therefore named requires access to

the private key unattended from user interaction. For PKCS#11 you have to provide the user pin of

the PKCS#11 slot to access private key. To get automatically access to the private key, configure the

configuration file openssl.cnf of OpenSSL 67 as shown below

openssl_conf = openssl_def

[ openssl_def ]

engines = engine_section

[ engine_section ]

pkcs11 = pkcs11_section

[ pkcs11_section ]

PIN = utimaco123

The default location of the configuration file can be overridden by setting the environment variable

OPENSSL_CONF. The pin has been entered during the initialization of the PKCS#11 slot. This will also

enable dnssec-* tools to work without user interaction which formerly had to enter user pin.

6Linux - /opt/openssl-p11/ssl/openssl.cnf7Microsoft Windows - c:\usr\local\ssl\openssl.cnf

Page 15

Integration Guide: Bind 9

6 Further InformationThis document forms a part of the information and support which is provided by the Utimaco IS

GmbH. Additional documentation can be found on the product CD in the documentation directory.

All CryptoServer product documentation is also available at the Utimaco IS GmbH

website: http://hsm.utimaco.com

Page 16

Page 17

Integration Guide: Bind 9

Page 18

Page 19

Contact

Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany

phone +49 241 1696 - 200fax +49 241 1696 - 199

web https://hsm.utimaco.comemail support-cs@utimaco.com