BIND

This document provides information about configuring CryptoHub with BIND by using Futurex PKCS #11 libraries. For additional information about CryptoHub, see the CryptoHub Administrator Guide.

​

About BIND

BIND is a software suite for interacting with the DNS. Its most prominent component, named, performs both primary DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver within the network. As of 2015, it is the most widely used domain name server software and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administrative tools, such as nsupdate and dig, as well as a DNS resolver interface library.

​

How the BIND integration works

The integration involves the following steps:

1. Zone data creation/update: User defines / updates DNS zone file
2. Key reference request: BIND identifies required signing keys
3. HSM login: BIND authenticates to CryptoHub by using PKCS#11
4. Signing key access: CryptoHub locates requested signing keys
5. HSM signing operation: CryptoHub generates digital signatures using private keys
6. Zone file update: Signed DNS records are added to the zone data
7. Zone publication: BIND loads and serves signed zone data
8. Resolver validation: DNS resolvers verify signatures using DNSSEC public keys

​

PKCS #11 in BIND

The PKCS #11 support in BIND comes in two forms:

• Native PKCS #11 - BIND interfaces directly with the Vectera Plus provided library through the PKCS #11 API. This allows BIND to interact directly with the PKCS #11 provider for public key cryptography (DNSSEC).
• OpenSSL-based PKCS #11 - BIND uses an OpenSSL PKCS #11 provider (such as pkcs11-provider from the Latchset project) to interact with Vectera Plus indirectly.

This integration guide uses the OpenSSL-based PKCS #11 method because it is the only method compatible with CryptoHub.

​

What is CryptoHub?

CryptoHub is the most flexible and versatile cryptographic platform in the industry. It combines every cryptographic function within our extensive solution suite. You can operate CryptoHub within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases.

​

Benefits of CryptoHub integration through PKCS #11

Integrating with CryptoHub provides the following benefits:

• Secure key storage: Integration with CryptoHub ensures that a hardware device securely stores cryptographic keys used for DNSSEC away from the vulnerabilities of software-based storage.
• Enhanced performance: We engineer our HSMs to handle cryptographic operations efficiently, thus aiding in quicker DNS query responses and DNSSEC signings.
• Regulatory compliance: The secure storage and management of cryptographic keys through CryptoHub help meet compliance standards like GDPR, HIPAA, or other country-specific regulations.
• Redundancy and reliability: CryptoHub has built-in failover and backup capabilities, ensuring uninterrupted DNS service.
• Centralized key management: CryptoHub provides a centralized solution for cryptographic key management, easing administrative burdens and enhancing security oversight.