Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 522
    • Issues 522
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 98
    • Merge requests 98
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #1533

Closed
Open
Created Dec 30, 2019 by Cathy Almond@cathyaDeveloper

Update the BIND ARM to clarify which algorithms are supported with HSMs using patched OpenSSL vs. native pkcs11

Per Support ticket #15888, it was not clear from the BIND ARM that patched-OpenSSL doesn't support ECDSA when accessing an HSM.

For example:

dnssec-keyfromlabel -a 13 -E pkcs11 -l "pkcs11:<key ID redacted>" -3 testzone
dnssec-keyfromlabel: fatal: failed to get key testzone/ECDSAP256SHA256: algorithm is unsupported

and:

pkcs11-keygen -a ECDSAP256SHA256 -b 1024 -l iscissue02
prime256v1 and secp3841r1 are not supported

The HSM in use does support ECDSAP256SHA256 (algorithm 13), and the key with the ID being requested in the first example had previously been created using OpenDNSSEC, and confirmed to be present in the HSM using pkcs11-list, although it was not possible to create a similar key directly using pkcs11-keygen (second example showing lack of support for ECDSA in the BIND tools built this way).

Inspection of the patch for OpenSSL (~/bin/pkcs11/openssl-1.0.2h-patch) revealed that it does not add support for ECDSA, which is why the tools are unable to access or create keys in the HSM using algorithm 13, even though the HSM itself supports this.

This was a surprise - please can the ARM be updated to make the limitations of patched-OpenSSL HSM support a lot clearer.

Edited Dec 30, 2019 by Cathy Almond
Assignee
Assign to
Time tracking