#8094 Allow using of a custom OpenSSL engine for ISC BIND
Closed: fixed 3 months ago by abbra. Opened a year ago by slev.

According to the current design page of bind-dyndb-ldap [1],
to provide DNSSEC feature BIND utilizes its own PKCS11 implementation to connect SoftHSM directly.

Such support for PKCS11 is configured during BIND build.
For example,

  --enable-native-pkcs11 \

The main disadvantage of this is that distros have to have two sets of binaries and libraries, one of which performs crypto ops using OpenSSL, another one - SoftHSM.

As a result, this may become a blocker to support DNSSEC in FreeIPA installations.
For example, for this reason, ALT Linux hasn't DNSSEC in FreeIPA [3].

Fortunately, there is a nice project libp11 [2],
which provides pkcs11 engine plugin for the OpenSSL library for accessing PKCS#11 modules in a semi-transparent way.

With the help of libp11, FreeIPA could use the regular named (BIND) [4] and thereby improving the cross-platform support.

At the time of this writing, libp11 and SoftHSM have merged the needed patches but haven't released yet.

[1] https://docs.pagure.org/bind-dyndb-ldap/BIND9/Design/DNSSEC/Keys/Shortterm.html#dnssec-key-rotation-shortterm
[2] https://github.com/OpenSC/libp11
[3] https://gitlab.isc.org/isc-projects/bind9/issues/1228
[4] ftp://ftp.isc.org/isc/bind9/9.11.10/doc/arm/Bv9ARM.ch04.html#pkcs11

To make it usable we need also to rebase OpenDNSSEC and SoftHSM to newer versions (there were issues with OpenDNSSEC rebase) in downstreams

Yesterday news:

Actually, I've checked DNSSEC feature against OpenDNSSEC 1.4 branch.
But, of course, I could try 2.x.

I filed https://bugzilla.redhat.com/show_bug.cgi?id=1759888 for RHEL. We'll probably need to create a change request for Fedora 32 too.

F30 and F31 have the bare libp11-0.4.10, while the list of required:

I could open tickets for Fedora. For which versions (Fedora) should I do it?

Let's start with rawhide.

The OpenSSL engine patch is failing in FIPS mode.

The OpenSSL PKCS11 engine does not set the RSA_FLAG_FIPS_METHOD flag set on the RSA ENGINE method. Therefore OpenSSL FIPS mode considers the method as non-FIPS compliant and RSA_new().

(gdb) n
93          if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
(gdb) n
(gdb) bt
#0  RSA_new_method (engine=engine@entry=0x0) at crypto/rsa/rsa_lib.c:94
#1  0x00007ffff7b5575b in RSA_new () at crypto/rsa/rsa_lib.c:22
#2  0x00007ffff7f1be2f in opensslrsa_fromdns (key=0x7ffff4d462f0, data=0x7ffff71c7a80) at ../../../lib/dns/opensslrsa_link.c:1254
#3  0x00007ffff7f20042 in frombuffer (name=name@entry=0x7ffff71c7b00, alg=alg@entry=8, flags=flags@entry=257, protocol=protocol@entry=3, 
    rdclass=rdclass@entry=1, source=source@entry=0x7ffff71c7a80, mctx=0x5555556515a0, keyp=0x7ffff71c7968) at ../../../lib/dns/dst_api.c:1943
#4  0x00007ffff7f20240 in dst_key_fromdns (name=name@entry=0x7ffff71c7b00, rdclass=<optimized out>, source=source@entry=0x7ffff71c7a80, 
    mctx=mctx@entry=0x5555556515a0, keyp=keyp@entry=0x7ffff71c7a08) at ../../../lib/dns/dst_api.c:794
#5  0x00005555555ae41a in dstkey_fromconfig (vconfig=vconfig@entry=0x0, key=0x7ffff72083f8, managed=managed@entry=true, 
    target=target@entry=0x7ffff71c9d88, mctx=mctx@entry=0x5555556515a0) at ../../../bin/named/server.c:792
#6  0x00005555555ae592 in load_view_keys (keys=<optimized out>, vconfig=vconfig@entry=0x0, view=view@entry=0x7ffff00d2cf0, 
    managed=managed@entry=true, keyname=keyname@entry=0x0, mctx=mctx@entry=0x5555556515a0) at ../../../bin/named/server.c:845
#7  0x00005555555af09b in configure_view_dnsseckeys (view=view@entry=0x7ffff00d2cf0, vconfig=vconfig@entry=0x0, config=config@entry=0x7ffff72018a8, 
    bindkeys=bindkeys@entry=0x0, auto_root=auto_root@entry=false, mctx=mctx@entry=0x5555556515a0) at ../../../bin/named/server.c:1041
#8  0x00005555555bbdf6 in configure_view (view=<optimized out>, viewlist=viewlist@entry=0x7ffff71cc8c0, config=<optimized out>, 
    vconfig=vconfig@entry=0x0, cachelist=cachelist@entry=0x7ffff71cc8e0, bindkeys=<optimized out>, mctx=<optimized out>, actx=<optimized out>, 
    need_hints=<optimized out>) at ../../../bin/named/server.c:4705
#9  0x00005555555ca9ff in load_configuration (filename=<optimized out>, server=server@entry=0x7ffff71da010, first_time=first_time@entry=true)
    at ../../../bin/named/server.c:8125
#10 0x00005555555cbb02 in run_server (task=<optimized out>, event=<optimized out>) at ../../../bin/named/server.c:8887
#11 0x00007ffff7cbfebe in dispatch (manager=0x7ffff71d3010) at ../../../lib/isc/task.c:1145
#12 run (uap=0x7ffff71d3010) at ../../../lib/isc/task.c:1319
#13 0x00007ffff79444e2 in start_thread () from /lib64/libpthread.so.0
#14 0x00007ffff76e96a3 in clone () from /lib64/libc.so.6
(gdb) p *ret
$5 = {pad = 0, version = 0, meth = 0x555555631b10, engine = 0x5555556375d0, n = 0x0, e = 0x0, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1 = 0x0, 
  iqmp = 0x0, prime_infos = 0x0, pss = 0x0, ex_data = {sk = 0x0}, references = 1, flags = 0, _method_mod_n = 0x0, _method_mod_p = 0x0, 
  _method_mod_q = 0x0, bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0, lock = 0x7ffff0000b60}
(gdb) p *ret->engine
$6 = {id = 0x7ffff5199000 "pkcs11", name = 0x7ffff5199016 "pkcs11 engine", rsa_meth = 0x555555631b10, dsa_meth = 0x0, dh_meth = 0x0, 
  ec_meth = 0x555555631a90, rand_meth = 0x0, ciphers = 0x0, digests = 0x0, pkey_meths = 0x7ffff5196d80 <PKCS11_pkey_meths>, pkey_asn1_meths = 0x0, 
  destroy = 0x7ffff518e760 <engine_destroy>, init = 0x7ffff518e730 <engine_init>, finish = 0x7ffff518e700 <engine_finish>, 
  ctrl = 0x7ffff518e6b0 <engine_ctrl>, load_privkey = 0x7ffff518e600 <load_privkey>, load_pubkey = 0x7ffff518e670 <load_pubkey>, 
  load_ssl_client_cert = 0x0, cmd_defns = 0x7ffff519e720, flags = 0, struct_ref = 7, funct_ref = 5, ex_data = {sk = 0x5555556311e0}, 
  prev = 0x5555556376f0, next = 0x0

openssl-pkcs11-0.4.10-6 fixes the issue. I'm going to add the new version to master copr until the build has reached stable F31 and F32.


  • 173cd9b spec: Require ldns-utils
  • a9334ce named: Remove no longer used paths
  • 5c907e3 named: Allow using of a custom OpenSSL engine for BIND
  • bed09b7 DNSKeySyncInstance: Populate named/ods uid/gid on instantiation
  • 85ed106 upgrade: Handle migration of BIND OpenSSL engine
  • 721435c named: Make use of 'pkcs11' OpenSSL engine for BIND on Fedora31
  • 53b341f spec: Bump required openssl-pkcs11 and softhsm
  • 8716881 service: Allow service to clean up its state
  • ecfaf89 named: Don't override custom command line options for named
  • e2030b8 named: Include crypto policy in openssl config
  • 92157bc ipa-dnskeysyncd: Raise loglevel to DEBUG

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.