background image

Integration Guide:

Bind 9

1 Introduction

This paper provides an integration guide explaining how to integrate a Hardware Security Module

(HSM) - CryptoServer - with the BIND 9.10 server on a Linux or Microsoft Windows operating system

platform. Configuration details - especially to domain name system configuration - that goes beyond

normal configuration for the integration of hardware security module are not explained in this docu-

ment. For further information to configure and setup BIND for a domain name system, it is referred

to the documents and information of ISC

1

.

1.1 Concepts

The Domain Name System (DNS) is a hierarchical naming system built on a distributed database

for computers, services, or any resource connected to the Internet or a private network. Most im-

portantly, it translates domain names meaningful to human-readable identifiers into the numerical

identifiers associated with networking equipment for the purpose of locating and addressing these

devices worldwide. Often the Domain Name System is compared with the phone book of the world-

wide internet. The original design of the Domain Name System did not include any security. Instead,

it was developed as a simple scalable distributed system.

The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintain-

ing backwards compatibility to the existing Domain Name System. The RFC 3833 attempts to doc-

ument some of the known threats to the DNS and how DNSSEC tries to responds to those threats.

DNSSEC was designed to protect Internet resolvers from forged DNS data, such as that created by

e.g. DNS cache poisoning. All answers from DNSSEC enabled domain name system are digitally

signed. By verifying the digital signature, a DNS resolver is able to check if the information is correct

and complete to the information on the authoritative domain name server. While protecting IP ad-

dresses is the immediate concern for many users, DNSSEC can protect other information such as

general-purpose cryptographic certificates too. Basically cryptographic keys are used to sign domain

name related information’s. The keys require extensively protection against being stolen or corrupted.

A hardware security module is the best solution in maintaining highest security and performance for

the protection of those keys.

1

ISC - http://www.isc.org

Page 4

Summary of Contents for Bind 9

Page 1: ...Integration Guide Bind 9 Linux 3 19 Microsoft Windows Server 2008...

Page 2: ...rved No part of this documentation may be reproduced in any form printing photocopy or according to any other process without the written approval of Utimaco IS GmbH or be processed reproduced or dist...

Page 3: ...s 7 4 1 Con gure PKCS 11 Environment 7 4 1 1 Linux 7 4 1 2 Microsoft Windows 7 4 1 3 Adjust Con guration File 7 4 2 Test PKCS 11 Environment 8 4 3 Patch and Build OpenSSL 9 4 3 1 Linux 9 4 3 2 Microso...

Page 4: ...et The original design of the Domain Name System did not include any security Instead it was developed as a simple scalable distributed system The Domain Name System Security Extensions DNSSEC attempt...

Page 5: ...eries S Series Se Series PCI CryptoServer CS Series S Series Se Series LAN CryptoServer Simulator CS Se HSM Firmware CryptoServer 2 50 Software CryptoServer 2 50 Linux 3 19 Ubuntu 15 04 amd64 Microsof...

Page 6: ...I LAN Installation Operating manual There is no need to install any software speci c for running CryptoServer 3 2 Install CryptoServer Software The CryptoServer software this includes administrative t...

Page 7: ...soft Windows operating system Therefore the procedures to setup the PKCS 11 respectively PKCS 11 R2 environment is described separately 4 1 1 Linux The PKCS 11 library and con guration les for Linux o...

Page 8: ...g Installation Manual For debugging purposes change the parameter Logging from value 0 which means no logging to 15 respectively 5 for PKCS 11 R2 to provide full logging details 4 2 Test PKCS 11 Envir...

Page 9: ...PKCS 11 The patch is bundled with the BIND source code Download and extract the sources for OpenSSL 2 and Bind 93 rst 4 3 1 Linux 1 Apply the patch Bind 9 7 2 bind 9 7 2 P3 bin pkcs11 openssl 0 9 8l...

Page 10: ...some errors occur at this point recheck the con guration 4 Check the availability of the engine by running the command apps openssl engine pkcs11 t 5 Install OpenSSL binary make install To make the mo...

Page 11: ...patch is used sign only or crypto accelerator The optional pre x parameter would point to the directory where the libraries and the OpenSSL con guration le are additionally copied during the installa...

Page 12: ...ine configure CC gcc m32 enable threads with openssl opt openssl p11 with pkcs11 usr lib cryptoserver libcs2_pkcs11 so If you are on a 64 bit machine con gure BIND via configure CC gcc m64 enable thre...

Page 13: ...prepares the contents of Build Release directory for BIND installation with mod i ed OpenSSL libraries 3 Install BIND from the Build Release folder Further steps usually concern general con guration...

Page 14: ...more You will be prompted to enter the user pin for the PKCS 11 slot 2 Switch to the default folder for zone les and generate the key les for BIND dnssec keyfromlabel l ksk f KSK utimaco com dnssec k...

Page 15: ...ones or new records inserted via nsupdate Therefore named requires access to the private key unattended from user interaction For PKCS 11 you have to provide the user pin of the PKCS 11 slot to access...

Page 16: ...f the information and support which is provided by the Utimaco IS GmbH Additional documentation can be found on the product CD in the documentation directory All CryptoServer product documentation is...

Page 17: ...Page 17...

Page 18: ...Integration Guide Bind 9 Page 18...

Page 19: ...Page 19...

Page 20: ...Contact Utimaco IS GmbH Germanusstra e 4 D 52080 Aachen Germany phone 49 241 1696 200 fax 49 241 1696 199 web https hsm utimaco com email support cs utimaco com...

Reviews: