Utimaco Bind 9 Kurzanleitung zur Einrichtung
Integration Guide
Bind 9
Linux 3.19, Microsoft Windows Server 2008
Integration Guide: Bind 9
Imprint
copyright 2016 Utimaco IS GmbH
Germanusstrasse 4
D-52080 Aachen
Germany
phone +49 (0)241 / 1696-200
fax +49 (0)241 / 1696-199
web http://hsm.utimaco.com
email [email protected]
document version 1.2.1
date January 2016
author System Engineering HSM
document no. SGCS_IG_BIND9
all rights reserved No part of this documentation may be reproduced in any form (printing, photocopy
or according to any other process) without the written approval of Utimaco IS GmbH
or be processed, reproduced or distributed using electronic systems.
Utimaco IS GmbH reserves the right to modify or amend the documentation at any
time without prior notice. Utimaco IS GmbH assumes no liability for typographical
errors and damages incurred due to them.
All trademarks and registered trademarks are the property of their respective owners.
Contents
1 Introduction 4
1.1 Concepts............................................. 4
2 Requirements 5
2.1 Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Installation 6
3.1 Install CryptoServer Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Install CryptoServer Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Procedures 7
4.1 Configure PKCS#11 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1.1 Linux........................................... 7
4.1.2 MicrosoftWindows .................................. 7
4.1.3 Adjust Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 TestPKCS#11Environment.................................. 8
4.3 PatchandBuildOpenSSL ................................... 9
4.3.1 Linux........................................... 9
4.3.2 MicrosoftWindows .................................. 10
4.4 Install BIND Domain Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4.1 Linux........................................... 12
4.4.2 MicrosoftWindows .................................. 12
5 Generate Keys and Sign a Domain Zone 14
5.1 ReSigningDomainZones ................................... 15
6 Further Information 16
Integration Guide: Bind 9
1 Introduction
This paper provides an integration guide explaining how to integrate a Hardware Security Module
(HSM) - CryptoServer - with the BIND 9.10 server on a Linux or Microsoft Windows operating system
platform. Configuration details - especially to domain name system configuration - that goes beyond
normal configuration for the integration of hardware security module are not explained in this docu-
ment. For further information to configure and setup BIND for a domain name system, it is referred
to the documents and information of ISC1.
1.1 Concepts
The Domain Name System (DNS) is a hierarchical naming system built on a distributed database
for computers, services, or any resource connected to the Internet or a private network. Most im-
portantly, it translates domain names meaningful to human-readable identifiers into the numerical
identifiers associated with networking equipment for the purpose of locating and addressing these
devices worldwide. Often the Domain Name System is compared with the phone book of the world-
wide internet. The original design of the Domain Name System did not include any security. Instead,
it was developed as a simple scalable distributed system.
The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintain-
ing backwards compatibility to the existing Domain Name System. The RFC 3833 attempts to doc-
ument some of the known threats to the DNS and how DNSSEC tries to responds to those threats.
DNSSEC was designed to protect Internet resolvers from forged DNS data, such as that created by
e.g. DNS cache poisoning. All answers from DNSSEC enabled domain name system are digitally
signed. By verifying the digital signature, a DNS resolver is able to check if the information is correct
and complete to the information on the authoritative domain name server. While protecting IP ad-
dresses is the immediate concern for many users, DNSSEC can protect other information such as
general-purpose cryptographic certificates too. Basically cryptographic keys are used to sign domain
name related information’s. The keys require extensively protection against being stolen or corrupted.
A hardware security module is the best solution in maintaining highest security and performance for
the protection of those keys.
1ISC - http://www.isc.org
Page 4
2 Requirements
Ensure that you have a copy of the CryptoServer Administration Guide [?] and the CryptoServer PKCS#11
Interface [?]. You should also have prepared an installed Linux operating system (for this guide, Ubuntu
15.04). If you are using PCI(e) card also compile and install the necessary driver for that card. This
guide assumes that a Ubuntu based Linux distribution or Microsoft Windows Server 2008 is used.
Software- and Hardware Requirements
HSM Model CryptoServer CS-Series/S-Series/Se-Series PCI
CryptoServer CS-Series/S-Series/Se-Series LAN
CryptoServer Simulator CS/Se
HSM Firmware CryptoServer 2.50
Software CryptoServer 2.50
Linux 3.19 (Ubuntu 15.04 amd64)
Microsoft Windows Server 2008 x86
2.1 Supported Operating Systems
For the interoperability of the CryptoServer solution, operating systems, Bind and OpenSSL have been
tested successfully for the following combinations:
Operating
System
CryptoServer
Version
Bind OpenSSL PCI Support Ethernet Sup-
port
Windows
Server 2008
Enterprise
x86
2.30.2 9.7.2-P3 0.9.8i Yes Yes
Debian 4.1.2
x86/amd64
2.50 9.7.2-P3 0.9.8i Yes Yes
Ubuntu 15.04
x86/amd64
3.21 9.10.2-P1 1.0.1j Yes Yes
Page 5
Integration Guide: Bind 9
3 Installation
The installation of the CryptoServer in preparation for integration with Bind consists of two parts:
• Install CryptoServer Hardware
• Install CryptoServer Software
3.1 Install CryptoServer Hardware
For more information on commonly installing and setting up CryptoServer PCI or LAN, see the docu-
mentation CryptoServer CryptoServer PCI / (LAN) Installation & Operating manual. There is no need to
install any software specific for running CryptoServer.
3.2 Install CryptoServer Software
The CryptoServer software - this includes administrative tools and library software - has to be installed
on your computer system manually on Linux based system. To install the necessary PKCS#11 li-
braries it is referred to the CryptoServer PKCS#11 Interface and SafeGuard CryptoServer - PKCS#11 (R2)
Development Guide document. Further PKCS#11 related configuration steps for the integration are
explained in the next chapter’s.
Page 6
4 Procedures
The steps to integrate the CryptoServer in BIND with Linux or Microsoft Windows are a little different.
In places where the description of the integration steps may differ, the individual steps are explained
in separate chapters.
To integrate the CryptoServer with BIND domain name server (named) in context of DNSSEC secured
environment you need follow these steps:
1. Configure PKCS#11 environment
2. Test PKCS#11 environment
3. Patch and Build OpenSSL
4. Install BIND Domain Name Server
5. Generate Keys and Sign a Zone
4.1 Configure PKCS#11 Environment
The location of library and configuration file differs on Linux and Microsoft Windows operating system.
Therefore the procedures to setup the PKCS#11 respectively PKCS#11 R2 environment is described
separately.
4.1.1 Linux
The PKCS#11 library and configuration files for Linux operating system have to be installed manually.
For further installations steps it is referred to QuickStart Guide PKCS#11 [?].
4.1.2 Microsoft Windows
With the installation of the CryptoServer software the necessary libraries, tools and configuration file
cs2_pkcs11.ini have been installed on your Microsoft Windows system. An environment variable has
been also set up and is refering to the configuration file.
4.1.3 Adjust Configuration File
The CryptoServer device specifier to address the CryptoServer device has to be adjusted in your con-
figuration file to use the PKCS#11 (R2) library. Open the configuration cs2_pkcs11.ini respectively
Page 7
Integration Guide: Bind 9
cs_pkcs11_R2.cfg with an editor of your choice and find the device parameter of the CryptoServer sec-
tion. Change the value to one of these values in accordance to your CryptoServer hardware.
• IP address of your device (e.g. 192.168.0.42)
This device specifier is used for network attached devices. Further details to setup the ip ad-
dress of your device can be found in CryptoServer LAN Operating & Installation Manual.
•/dev/cs2
This device specifier addresses a local installed PCI or PCIe device. An installed device driver is
necessary to open a connection. Further details to setup the driver can be found in CryptoServer
PCI(e) Operating & Installation Manual.
For debugging purposes change the parameter Logging from value 0 which means no logging to 15
respectively 5 for PKCS#11 R2 to provide full logging details.
4.2 Test PKCS#11 Environment
The p11tool respectively p11tool2 is an administration command line tool to manage PKCS#11 and
PKCS#11 R2 related issues for the CryptoServer. Check if your PKCS#11 environment has been
configured and installed correctly by performing ListSlots command of p11tool respectively p11tool2.
The output should display a listing of available PKCS#11 slot numbers.
0: 00000000
1: 00000001
2: 00000002
3: 00000003
4: 00000004
Listing 1: ListSlots
Initialize a PKCS#11 slot to store the necessary cryptographic keys used for DNSSEC later in this
document.
PKCS#11
# p11tool slot=0 InitToken=123456
# p11tool slot=0 LoginSO=123456 InitPin=utimaco123
PKCS#11 R2
Page 8
# p11tool2 Login=ADMIN,:cs2:cyb:USB0 slot=0 InitToken=123456
# p11tool2 slot=0 LoginSO=123456 InitPin=utimaco123
Here the InitPin parameter determines the PKCS#11 user pin of a slot. This pin will be used later in
this document for the PKCS#11 user authentication.
4.3 Patch and Build OpenSSL
Building OpenSSL from source code will enable PKCS#11 support. As BIND uses OpenSSL for its
cryptographic operations BIND will also be able to use PKCS#11 as cryptographic interface. The
source code of OpenSSL needs to be patched to enable OpenSSL to interface with PKCS#11. The
patch is bundled with the BIND source code. Download and extract the sources for OpenSSL 2and
Bind 93first.
4.3.1 Linux
1. Apply the patch
• Bind 9.7.2
./bind-9.7.2-P3/bin/pkcs11/openssl-0.9.8l-patch to OpenSSL by switching to the
OpenSSL directory and running the command
# patch -p1 < path-to/openssl-0.9.8l-patch
• Bind 9.10.2
./bind-9.10.2-P1/bin/pkcs11/openssl-1.0.1j-patch to OpenSSL by switching to
the OpenSSL directory and running the command
# patch -p1 < path-to/openssl-1.0.1j-patch
2. Configure OpenSSL on 32 bit machine
# ./Configure linux-generic32 -m32 -pthread \
--pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \
--pk11-flavor=crypto-accelerator \
--prefix=/opt/openssl-p11
2OpenSSL - http://www.openssl.org/source/
3Bind 9 - http://www.isc.org/software/bind
Page 9
Integration Guide: Bind 9
If you are on a 64 bit machine configure OpenSSL via
# ./Configure linux-x86_64 \
--pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \
--pk11-flavor=crypto-accelerator \
--prefix=/opt/openssl-p11
The given pk11-libname parameter points to the path of the PKCS#11 library, pk11-flavor de-
termines which kind of PKCS#11 engine (provided by the patch) is used - sign-only or crypto-
accelerator and the prefix parameter points to the directory where the libraries are located after
the installation.
3. Build and test OpenSSL
# make
# make test
If some errors occur at this point, recheck the configuration.
4. Check the availability of the engine by running the command
# ./apps/openssl engine pkcs11 -t
5. Install OpenSSL binary
# make install
To make the modified OpenSSL suite available in /opt/openssl-p11 as specified during the
configuration.
4.3.2 Microsoft Windows
1. Apply the patch located at ”bind-9.7.2-P3\bin\pkcs11\openssl-0.9.8l-patch” to OpenSSL. There-
fore a Linux environment like Cygwin is required to have the ”patch” utility available. Switch to
the OpenSSL directory and execute command:
# patch -p1 < path-to/openssl-0.9.8l-patch
2. Configuring and building OpenSSL requires Perl installed. This guide uses ActivePerl-5.12.24
4ActivePerl-5.12.2 - http://www.activestate.com/activeperl/downloads
Page 10
Inhaltsverzeichnis
Andere Utimaco Server Handbücher
Beliebte Server Handbücher anderer Marken
iRobo
iRobo IPC2U Bedienungsanleitung
Nortel
Nortel 1000 Con?guration guide Bedienungsanleitung
Asus
Asus AP7500 Bedienungs- und Wartungshandbuch
Avid Technology
Avid Technology AirSpeed 5000 Bedienungsanleitung
HP
HP Integrity rx2600 Installationsanleitung
Milestone
Milestone Husky IVO 350T Bedienungsanleitung