Configure Bind 9

this section explains how to configure bind 9 to integrate with the {{vectera}} hsm to store the keys used for zone file signing before starting this section, install and configure bind 9 per your specific requirements perform the tasks in this section to configure bind 9 generate keys perform the following steps by using the pkcs11 tool available from the opensc suite to generate keys on both deb based and rpm based distributions, the package is called opensc generate the following rsa keys on the {{vectera}} by using pkcs11 tool the key signing key (ksk) and the zone signing key (zsk) when prompted for the user pin, enter the password of the identity configured in the futurex pkcs #11 file, fxpkcs11 cfg each key must have a unique label because later commands use that label to reference the private key sudo pkcs11 tool module /usr/local/bin/fxpkcs11/libfxpkcs11 so login keypairgen key type rsa 2048 label "example com ksk"sudo pkcs11 tool module /usr/local/bin/fxpkcs11/libfxpkcs11 so login keypairgen key type rsa 1024 label "example com zsk" the command output should look similar to the following key pair generated private key object; rsa label example com ksk usage decrypt, sign, unwrap public key object; rsa 2048 bits label example com ksk usage encrypt, verify, wrap to convert the rsa keys stored in the hsm into a format that bind 9 understands, use the dnssec keyfromlabel tool from bind 9 this process links the raw keys stored in the hsm with k\<zone>+\<alg>+\<id> files that the command generates you need to provide the openssl engine name ( pkcs11 ), the algorithm ( rsasha256 ), and the pkcs #11 label that specifies the token (such as futurex ), the name of the pkcs #11 object (such as label when generating the keys with pkcs11 tool ), and the hsm pin the private key file is used for dnssec signing of the zone as if it were a conventional key on the file system (such as one created with dnssec keygen ) the hsm stores the key material (we cannot extract it), and the actual signing takes place on the hsm run the following command to convert a ksk sudo dnssec keyfromlabel e pkcs11 a rsasha256 l "token=futurex;object=example com ksk;pin value=safest" f ksk example com run the following command to convert a zsk sudo dnssec keyfromlabel e pkcs11 a rsasha256 l "token=futurex;object=example com zsk;pin value=safest" example com run the following command to confirm that you have one ksk and one zsk present in the current directory ls l k the output should look similar to the following output (with different numbers) kexample com +008+31729 key kexample com +008+31729 private kexample com +008+42231 key kexample com +008+42231 private sign the zone the zone signing occurs similarly to the regular process, but we need to provide the name of the openssl engine by using the e command line option the ksk, zsk, and zone files must be present in the directory from which you run the command use the following command syntax sudo dnssec signzone e pkcs11 s o \<zone name> \<zone file> for example, you might use the following command sudo dnssec signzone e pkcs11 s o example com db example com if the command succeeds, the output looks similar to the following fetching ksk 31729/rsasha256 from key repository fetching zsk 42231/rsasha256 from key repository verifying the zone using the following algorithms rsasha256 zone fully signed algorithm rsasha256 ksks 1 active, 0 stand by, 0 revoked zsks 1 active, 0 stand by, 0 revoked db example com signed inline signing in bind bind 9 9 introduces a new inline signing option, which allows named , the name daemon on linux, to sign zones completely transparently a server can load or transfer an unsigned zone and create a signed version that answers all queries and transfer requests without altering the original unsigned version as you update the unsigned zone, named detects the changes you made and applies those changes to the signed version this enables a seamless transition to dnssec with minimal disruption to existing systems this integration guide provides a basic example of configuring bind 9 to integrate with the {{vectera}} hsm for private key storage and signing of zone files if you want to implement inline signing in bind, refer to the following inline signing article on the isc knowledgebase website