dnssec-keyfromlabel not working with Debian 12 (bookworm)
Hi, I used this tutorial as reference to setup DNSSEC with SoftHSM2: https://kb.isc.org/docs/bind-9-pkcs11 I installed the Debian package instead of building libp11: libengine-pkcs11-openssl:amd640.4.12-0.1 It works until reaching this command: $ dnssec-keyfromlabel \ -E pkcs11 \ -a RSASHA256 \ -l "token=bind9object=example.net-ksk" \ -f KSK example.net dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure Trying directly from OpenSSL works: $ openssl pkey \ -in "pkcs11:token=bind9;object=example.net-ksk" \ -inform ENGINE \ -engine pkcs11 \ -text \ -pubin Engine "pkcs11" set. -BEGIN PUBLIC KEY- MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5 hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB AAE= -END PUBLIC KEY- RSA Public-Key: (1280 bit) Modulus: 00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca: 05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c: 90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14: 10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22: e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26: ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07: d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf: 6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c: 9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04: 0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95: 80:35:d5:11:b5:44:6a:ec:45:22:67 Exponent: 65537 (0x10001) Debian 12 (bookworm) use OpenSSL version 3: libssl3:amd64 3.0.11-1~deb12u2 openssl 3.0.11-1~deb12u2 Installed BIND9 packages: bind9 1:9.18.19-1~deb12u1 bind9-utils 1:9.18.19-1~deb12u1 bind9-dnsutils1:9.18.19-1~deb12u1 bind9-doc 1:9.18.19-1~deb12u1 bind9-libs:amd64 1:9.18.19-1~deb12u1 bind9-host1:9.18.19-1~deb12u1 $ dnssec-keyfromlabel -V dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so init = 0 strace file: https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656 fuZR3ArX It seems to be an API problem or maybe I missed something ? Gérard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keyfromlabel not working with Debian 12 (bookworm)
Hi, I directly see missing semicolon in the failed command. Please provide full unedited log, so we can be sure that the error was not made when redacting the output. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 3. 12. 2023, at 18:41, Gérard Parat via bind-users > wrote: > > Hi, > > I used this tutorial as reference to setup DNSSEC with SoftHSM2: > https://kb.isc.org/docs/bind-9-pkcs11 > > I installed the Debian package instead of building libp11: > libengine-pkcs11-openssl:amd640.4.12-0.1 > > It works until reaching this command: > $ dnssec-keyfromlabel \ > -E pkcs11 \ > -a RSASHA256 \ > -l "token=bind9object=example.net-ksk" \ > -f KSK example.net > dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure > > Trying directly from OpenSSL works: > $ openssl pkey \ > -in "pkcs11:token=bind9;object=example.net-ksk" \ > -inform ENGINE \ > -engine pkcs11 \ > -text \ > -pubin > Engine "pkcs11" set. > -BEGIN PUBLIC KEY- > MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J > ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5 > hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d > V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB > AAE= > -END PUBLIC KEY- > RSA Public-Key: (1280 bit) > Modulus: >00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca: >05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c: >90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14: >10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22: >e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26: >ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07: >d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf: >6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c: >9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04: >0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95: >80:35:d5:11:b5:44:6a:ec:45:22:67 > Exponent: 65537 (0x10001) > > Debian 12 (bookworm) use OpenSSL version 3: > libssl3:amd64 3.0.11-1~deb12u2 > openssl 3.0.11-1~deb12u2 > > Installed BIND9 packages: > bind9 1:9.18.19-1~deb12u1 > bind9-utils 1:9.18.19-1~deb12u1 > bind9-dnsutils1:9.18.19-1~deb12u1 > bind9-doc 1:9.18.19-1~deb12u1 > bind9-libs:amd64 1:9.18.19-1~deb12u1 > bind9-host1:9.18.19-1~deb12u1 > > $ dnssec-keyfromlabel -V > dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian > > [pkcs11_section] > engine_id = pkcs11 > dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so > MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so > init = 0 > > strace file: > https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656 > fuZR3ArX > > It seems to be an API problem or maybe I missed something ? > > Gérard > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keyfromlabel not working with Debian 12 (bookworm)
Hi, Sorry for the typo (command is correct in strace file), here is the unedited log: $ dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk" -f KSK example.net dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure Gérard Le 03/12/2023 à 19:06, Ondřej Surý a écrit : Hi, I directly see missing semicolon in the failed command. Please provide full unedited log, so we can be sure that the error was not made when redacting the output. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 3. 12. 2023, at 18:41, Gérard Parat via bind-users wrote: Hi, I used this tutorial as reference to setup DNSSEC with SoftHSM2: https://kb.isc.org/docs/bind-9-pkcs11 I installed the Debian package instead of building libp11: libengine-pkcs11-openssl:amd640.4.12-0.1 It works until reaching this command: $ dnssec-keyfromlabel \ -E pkcs11 \ -a RSASHA256 \ -l "token=bind9object=example.net-ksk" \ -f KSK example.net dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure Trying directly from OpenSSL works: $ openssl pkey \ -in "pkcs11:token=bind9;object=example.net-ksk" \ -inform ENGINE \ -engine pkcs11 \ -text \ -pubin Engine "pkcs11" set. -BEGIN PUBLIC KEY- MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5 hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB AAE= -END PUBLIC KEY- RSA Public-Key: (1280 bit) Modulus: 00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca: 05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c: 90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14: 10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22: e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26: ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07: d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf: 6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c: 9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04: 0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95: 80:35:d5:11:b5:44:6a:ec:45:22:67 Exponent: 65537 (0x10001) Debian 12 (bookworm) use OpenSSL version 3: libssl3:amd64 3.0.11-1~deb12u2 openssl 3.0.11-1~deb12u2 Installed BIND9 packages: bind9 1:9.18.19-1~deb12u1 bind9-utils 1:9.18.19-1~deb12u1 bind9-dnsutils1:9.18.19-1~deb12u1 bind9-doc 1:9.18.19-1~deb12u1 bind9-libs:amd64 1:9.18.19-1~deb12u1 bind9-host1:9.18.19-1~deb12u1 $ dnssec-keyfromlabel -V dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so init = 0 strace file: https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656 fuZR3ArX It seems to be an API problem or maybe I missed something ? Gérard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keyfromlabel not working with Debian 12 (bookworm)
Hi, Weird behavior with /opt/bind9/etc/openssl.cnf. The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine: [openssl_init] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so init = 0 For example, dig is not working with environment variable OPENSSL_CONF: $ dig www.internet.nl +short 04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure) 04-Dec-2023 00:39:24.280 error:0396:digital envelope routines::operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354: dig: dst_lib_init: crypto failure It works if OPENSSL_CONF is undefined: $ OPENSSL_CONF= dig www.internet.nl +short proloprod.internet.nl. 62.204.66.10 Issue seems wider than only relative to dnssec-keyfromlabel. Gérard Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit : Hi, I used this tutorial as reference to setup DNSSEC with SoftHSM2: https://kb.isc.org/docs/bind-9-pkcs11 I installed the Debian package instead of building libp11: libengine-pkcs11-openssl:amd64 0.4.12-0.1 It works until reaching this command: $ dnssec-keyfromlabel \ -E pkcs11 \ -a RSASHA256 \ -l "token=bind9object=example.net-ksk" \ -f KSK example.net dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure Trying directly from OpenSSL works: $ openssl pkey \ -in "pkcs11:token=bind9;object=example.net-ksk" \ -inform ENGINE \ -engine pkcs11 \ -text \ -pubin Engine "pkcs11" set. -BEGIN PUBLIC KEY- MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5 hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB AAE= -END PUBLIC KEY- RSA Public-Key: (1280 bit) Modulus: 00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca: 05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c: 90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14: 10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22: e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26: ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07: d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf: 6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c: 9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04: 0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95: 80:35:d5:11:b5:44:6a:ec:45:22:67 Exponent: 65537 (0x10001) Debian 12 (bookworm) use OpenSSL version 3: libssl3:amd64 3.0.11-1~deb12u2 openssl 3.0.11-1~deb12u2 Installed BIND9 packages: bind9 1:9.18.19-1~deb12u1 bind9-utils 1:9.18.19-1~deb12u1 bind9-dnsutils 1:9.18.19-1~deb12u1 bind9-doc 1:9.18.19-1~deb12u1 bind9-libs:amd64 1:9.18.19-1~deb12u1 bind9-host 1:9.18.19-1~deb12u1 $ dnssec-keyfromlabel -V dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so init = 0 strace file: https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656 fuZR3ArX It seems to be an API problem or maybe I missed something ? Gérard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
