Note
This is an experimental feature, use at your own risk!
To enable it, compile PowerDNS Authoritative Server using --enable-experimental-pkcs11 flag on configure.
This requires you to have the p11-kit libraries and headers.
You can also log on to the tokens after starting the server, in this case you need to edit your PKCS#11 cryptokey record and remove PIN or set it empty. Do this after assigning/creating a key, as the PIN is required for assigning keys to zone.
Warning
Due to an interaction between SoftHSM and Botan, the PowerDNS Authoritative Server will most likely crash on exit when built with --enable-botan1.10 --enable-experimental-pkcs11.
In 4.2.0, Botan support has been removed and this is no longer an issue.
To test this feature, a software HSM can be used. It is not recommended to do this in production.
These instructions have been tested on Debian 10 (Buster).
apt-get install softhsm p11-kit
Verify that it works: p11-kit -l, you should see softhsm2: .....
Create a token:
softhsm2-util --init-token --label my-pkcs11-dnskey --free --pin 1234 --so-pin 1234
Assign the token to a zone (it says KSK, but because there is no ZSK, this will become a CSK):
pdnsutil hsm assign example.com ecdsa256 ksk softhsm2 my-pkcs11-dnskey 1234 'my key' 'my pub key'
Create the key (for 25, use the ID shown by the previous command):
pdnsutil hsm create-key example.com 25
Verify that everything worked, you should see valid data there:
pdnsutil show-zone example.com
Based on https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html.
You need to install gnutls-bin to get token URLs.
You cannot run p11-kit server as root, so you will need some user for running it. This user must be in the softhsm group.
These commands need to be run as the non-root user (we shall call it tokenuser).
First, set up your token:
softhsm2-util --init-token --label "ecdsa#1" --pin 1234 --so-pin 1234 --free
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --keypairgen --key-type EC:prime256v1 --pin 1234 -a 'my key' --token-label "ecdsa#1"
Ensure it’s there:
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so -l -O -p 1234
Get the URL for p11-kit server, which is needed for the server:
p11tool --provider /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so --list-tokens
Set up forwarding:
cat <<EOF > /etc/pkcs11/modules/p11-kit-client.module
module: /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so
EOF
p11-kit server -u pdns --provider /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=29fdc44dc0d61539;token=ecdsa%231"
P11_KIT_SERVER_ADDRESS=unix:path=/run/user/1000/p11-kit/pkcs11-5198; export P11_KIT_SERVER_ADDRESS;
P11_KIT_SERVER_PID=5199; export P11_KIT_SERVER_PID;
You will need those values in PowerDNS running environment. Now you can verify that the token is reachable as pdns user with:
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so -T
Available slots:
Slot 0 (0x10): SoftHSM slot ID 0x40d61539
token label : ecdsa#1
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.5
firmware version : 2.5
serial num : 29fdc44dc0d61539
pin min/max : 4/255
Then assign the HSM token to your zone with:
pdnsutil hsm assign example.com ecdsa256 ksk p11-kit-client 'ecdsa#1' 1234 'my key'
And then verify with show-zone that the zone now has a valid key.
You can do this over SSH as well (note that the example connects from token server to DNS server):
ssh -R /var/run/pdns/pkcs11:${P11_KIT_SERVER_ADDRESS#*=} pdns@server
export P11_KIT_SERVER_ADDRESS=/var/run/pdns/pkcs11
Verify that the token is visible:
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so -T
Then use the pdnsutil hsm assign command like before to assign the key to your zone; now you have DNSSEC over SSH.
Instructions on how to use CryptAS Athena IDProtect Key USB Token V2J Smart Card token on Ubuntu 14.04.
Install the manufacturer’s support software on your system and initialize the Smart Card token as per instructions (do not use PIV).
apt-get install p11-kit opensc
Create directory /etc/pkcs11/modules.
Create file named athena.module with contents:
module: /lib64/libASEP11.so
managed: yes
Verify it worked, it should resemble output below. Do not continue if this does not show up.
$ p11-kit -l
athena: /lib64/libASEP11.so
library-description: ASE Cryptoki
library-manufacturer: Athena Smartcard Solutions
library-version: 3.1
token: IDProtect#0A50123456789
manufacturer: Athena Smartcard Solutions
model: IDProtect
serial-number: 0A50123456789
hardware-version: 1.0
firmware-version: 1.0
flags:
rng
login-required
user-pin-initialized
token-initialized
Using pkcs11-tool, initialize your new keys. After this IDProtect Manager no longer can show your token certificates and keys, at least on version v6.23.04.
pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
Verify that keys are there:
$ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: zone-ksk
Usage: encrypt, verify, wrap
Public Key Object; RSA 2048 bits
label: zone-zsk
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: zone-ksk
Usage: decrypt, sign, unwrap
Private Key Object; RSA
label: zone-zsk
Usage: decrypt, sign, unwrap
Assign the keys using:
pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
Verify that everything worked, you should see valid data there.
pdnsutil show-zone zone
Note that the physical token is pretty slow, so you have to use it as hidden master. It has been observed to produce about 1.5 signatures/second.