Hello,
I am ISC BIND maintainer in Fedora. Maybe you know freeipa is using BIND
as secure DNS interface to LDAP. Freeipa is using special build of BIND
in Fedora, called bind-pkcs11. It uses native PKCS#11 interface instead
of built-in routines. It uses PKCS#11 not only for protected storage of
private keys, but also for any cryptography operation. It uses also
digest from pkcs11 modules.
ISC upstream asked some time ago on requirements on such interface [1].
I have to admit I do not know what features freeipa requires from it. I
would like to ask that here. Default pkcs11 interface is softhsm2
PKCS#11 module, software version linked to openssl.
Is pkcs11 used also as hardware crypto accelerator? It definitely can be
used from bind-pkcs11 to offload digest or verification to hardware
module. Do you know if that is used or wanted? Is it tested on any real
Hardware Security Module? Are there any requirements on HSM support from
freeipa?
Current code in BIND contains a lot of digest and crypto code
duplication. Upstream would like to reduce usage of PKCS#11 only to
secure storage of PKI (DNSSEC) keys. Other features should use openssl
for it. It would be useful also on Fedora. If acceleration via hardware
module should be used, OpenSSL engine could be used for it instead.
Because the way bind it built, it still depends on OpenSSL library
anyway, even in PKCS11 build.
I would like to use digest messages from OpenSSL in both bind and
bind-pkcs11 in upcoming releases. It would no longer use PKCS#11 module
for signature verification. Are there any objections to it? Would it
break something?
1.
https://lists.isc.org/pipermail/bind-users/2018-June/100254.html
Best Regards,
Petr
--
Petr Menšík
Software Engineer
Red Hat,
http://www.redhat.com/
email: pemensik(a)redhat.com PGP: 65C6C973