Using a PCIe HSM card with BIND

2025-03-12 Thread Sergio Ramirez 
Hi,
We need to integrate a "Thales Luna HSM PCIe 7" card, that we just 
purchased, with the most updated BIND version that works in this scenario.

We had followed carefully the instructions given by the Thales documents but we 
had not succefull results. Also, we had contacted the Thales premium technical 
support services but this services are poor, and at the moment they did not 
give us a solution. 

For this reason we would like to ask you, if someone has expirience integrating 
BIND with Thales HSM card with newer versions (in the past we had done this 
integration succefully with older BIND versions and older Thales HSM cards).

The versions that we are using now are:

Linux 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) 
x86_64 GNU/Linux
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
BIND 9.18.32 (Extended Support Version) 

HSM Luna PCIe 7 card with firmware 7.0.3.

We are very satisfied with BIND software, unfortunately  if we can not find a 
solution, perhaps we will need to change the DNS server software for other 
compatible with newer HSM Thales card.

Thanks in advance.

--
Sergio R.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using a PCIe HSM card with BIND

2025-03-12 Thread Ondřej Surý 
Hi Sergio,

the BIND 9 documentation covers this:

https://bind9.readthedocs.io/en/v9.18.34/chapter5.html#pkcs-11-cryptoki-support

Since you are using OpenSSL you must ensure that Legacy engines are enabled.

I would however recommend switching to 9.20.6 that has support for more modern
OpenSSL Providers (5.5.6 and onwards):

https://bind9.readthedocs.io/en/v9.20.6/chapter5.html#pkcs-11-cryptoki-support

Cheers,
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 12. 3. 2025, at 20:29, Sergio Ramirez  wrote:
> 
> Hi,
>We need to integrate a "Thales Luna HSM PCIe 7" card, that we just 
> purchased, with the most updated BIND version that works in this scenario.
> 
> We had followed carefully the instructions given by the Thales documents but 
> we had not succefull results. Also, we had contacted the Thales premium 
> technical support services but this services are poor, and at the moment they 
> did not give us a solution. 
> 
> For this reason we would like to ask you, if someone has expirience 
> integrating BIND with Thales HSM card with newer versions (in the past we had 
> done this integration succefully with older BIND versions and older Thales 
> HSM cards).
> 
> The versions that we are using now are:
> 
> Linux 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) 
> x86_64 GNU/Linux
> OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
> BIND 9.18.32 (Extended Support Version) 
> 
> HSM Luna PCIe 7 card with firmware 7.0.3.
> 
> We are very satisfied with BIND software, unfortunately  if we can not find a 
> solution, perhaps we will need to change the DNS server software for other 
> compatible with newer HSM Thales card.
> 
> Thanks in advance.
> 
> --
> Sergio R.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Authoritative and caching

2025-03-12 Thread Danjel Jungersen via bind-users 

On 20-02-2025 08:40, Mark Andrews wrote:

The zone is available publicly, but from public serveres not hosted by me 
(one.com).
And points to my external ip.
My internal bind redirects local traffic directly to local servers on local 
ip's.

DNSSEC is designed to stop spoofed answers being accepted.  When you create a 
local zone that overrides what is in the public zones you are effectively 
spoofing answers.  As you have a DNSSEC signed public zone if you want to have 
these spoofed answers accepted you need to do one of the following:

1) create a working chain of trust that links to your private zone content
Long 1 is the best long term solution

So this is the way I will try to go.

You currently have the following DS which means you are using ECDSAP256SHA256 
(13) as the DNSSEC key algorithm.

jungersen.dk. 7200 IN DS 26658 13 2 
23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52

I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; 
};” to your internal primary if you choose to do 1 or 3.  This will add a 
DNSKEY record to the zone and cause it to be signed.  You can then take the 
generated DNSKEY and install it as a trust anchor on the postfix boxes.

You will need to do some reading first. Others here can give you more advice.


I have now read a lot, and I think that actually understood some of it.

I have:
zone "jungersen.dk" {
    type master;
    file "/etc/bind/zones/db.jungersen.dk";
    allow-transfer { 192.168.20.11; };
    dnssec-policy { csk lifetime unlimited algorithm 
ECDSAP256SHA256; };

};

in named.conf.local

I throws an error, /etc/bind/named.conf.local:15: expected string near '{'

Line 15 is the dnssec-policy line.

If I uncomment this line all is well.

Can anyone tell me what is wrong with this line?
I have copy pasted it from the suggestion, and have read some online, to 
me it looks good.




BR
Danjel

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Authoritative and caching

2025-03-12 Thread Mark Andrews 
I shouldn’t have tried to write that on the phone from memory.

dnssec-policy “unlimited” {
keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};

zone "jungersen.dk” {
type master;
file "/etc/bind/zones/db.jungersen.dk”;
allow-transfer { 192.168.20.11; };
dnssec-policy "unlimited";
};

Mark

> On 13 Mar 2025, at 09:13, Danjel Jungersen  wrote:
> 
> On 20-02-2025 08:40, Mark Andrews wrote:
>>> The zone is available publicly, but from public serveres not hosted by me 
>>> (one.com).
>>> And points to my external ip.
>>> My internal bind redirects local traffic directly to local servers on local 
>>> ip's.
>> DNSSEC is designed to stop spoofed answers being accepted.  When you create 
>> a local zone that overrides what is in the public zones you are effectively 
>> spoofing answers.  As you have a DNSSEC signed public zone if you want to 
>> have these spoofed answers accepted you need to do one of the following:
>> 
>> 1) create a working chain of trust that links to your private zone content
>> Long 1 is the best long term solution
> So this is the way I will try to go.
>> You currently have the following DS which means you are using 
>> ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>> 
>> jungersen.dk. 7200 IN DS 26658 13 2 
>> 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>> 
>> I would add “dnssec-policy { csk lifetime unlimited algorithm 
>> ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.  
>> This will add a DNSKEY record to the zone and cause it to be signed.  You 
>> can then take the generated DNSKEY and install it as a trust anchor on the 
>> postfix boxes.
>> 
>> You will need to do some reading first. Others here can give you more advice.
>> 
> I have now read a lot, and I think that actually understood some of it.
> 
> I have:
> zone "jungersen.dk" {
> type master;
> file "/etc/bind/zones/db.jungersen.dk";
> allow-transfer { 192.168.20.11; };
> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
> 
> in named.conf.local
> 
> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
> 
> Line 15 is the dnssec-policy line.
> 
> If I uncomment this line all is well.
> 
> Can anyone tell me what is wrong with this line?
> I have copy pasted it from the suggestion, and have read some online, to me 
> it looks good.
> 
> 
> 
> BR
> Danjel
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users