Thales nshield HSM. Integration Guide for ISC BIND DNSSEC. www.thalesgroup.com/iss

Thales nshield HSM Integration Guide for ISC BIND DNSSEC www.thalesgroup.com/iss

Version: 1.1 Date: 15 June 2011 Copyright 2011 Thales e-security Limited. All rights reserved. Copyright in this document is the property of Thales e-security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-security Limited neither shall it be used otherwise than for the purpose for which it is supplied. CodeSafe, KeySafe, ncipher, nfast, nforce, nshield, payshield, and Ultrasign are registered trademarks of Thales e-security Limited. CipherTools, CryptoStor, CryptoStor Tape, keyauthority, KeyVault, ncore, nethsm, nfast Ultra, nforce Ultra, nshield Connect, ntoken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-security Limited. All other trademarks are the property of the respective trademark holders. Information in this document is subject to change without notice. Thales e-security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. Version: 1.1 Date: 15 June 2011 2011 nshinov10 Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 2

Contents Chapter 1: Introduction 4 Supported Thales functionality 5 Requirements 5 Chapter 2: Procedures 6 Installing the HSM 6 Installing the software 6 Installing and configuring OpenSSL and BIND 7 Signing a zone using the HSM 10 Create an example zone file 10 Generate the Key Signing Key (KSK) and Zone Signing Key (ZSK) 12 Verify DNSSEC 18 Chapter 3: Troubleshooting 19 Addresses 21 Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 3

Chapter 1: Introduction The Domain Name Service (DNS) is the backbone of the Internet. It is a global address book for computers, and resolves Website addresses to specific IP addresses, enabling computers across the Internet to exchange information, such as Web pages and files. However, DNS is vulnerable to attack. For example, an attacker can interfere with DNS responses, redirecting data to their own computers for malicious gain. The Domain Name Service Security Extension (DNSSEC) is an extension to DNS that addresses this problem. DNSSEC uses Public Key Infrastructure (PKI) techniques to validate the DNS lookup response and so maintain the integrity of the DNS address book. For DNSSEC to function properly, it is essential that private keys, the Zone Signing Key and Key Signing Key, are protected. Typically, the DNS server stores these keys in software within the same DNS appliance. However, this provides only limited security. The only way to properly secure the private keys is to store them in a Thales ncipher product line Hardware Security Module (HSM). Because the keys never leave the HSM, they are never exposed on the host computer and therefore not potentially available to an attacker. Moreover, the HSM is highly resistant to physical tampering. This guide explains how to store private DNSSEC keys within Thales nshield HSMs, and how to integrate these HSMs with the Internet Systems Consortium (ISC) BIND DNS server and OpenSSL. This guide does not give a detailed explanation of the protocol, but does provide references to sources that give a more in depth explanation of DNSSEC and BIND. The integration of the Thales nshield HSM with the BIND DNS server and OpenSSL has been successfully tested in the following configurations: Operating system ISC BIND version Thales version Red Hat Enterprise Linux 5 (64 bit) 9.7.3 v11.50, v11.40 PCI/PCIe support nethsm support Yes Yes Yes Red Hat Enterprise Linux 5 (32 bit) 9.7.3 v11.50, Yes Yes Yes v11.40 Solaris 10 SPARC 9.7.3 v11.50 Yes Yes nshield Connect support Throughout this guide, ISC BIND is referred to as BIND. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 4

Supported Thales functionality Supported Thales functionality Key Generation Yes 1-of-N Operator Card Set Yes Strict FIPS Support Yes Key Management Yes K-of-N Operator Card Set Yes Load Sharing Yes Key Import Softcards Yes Fail Over Yes Key Recovery Yes Module-only Key Yes Requirements Before you begin the integration process: Read the Quick Start Guide or User Guide for your HSM. Read the relevant DNSSEC documentation. We recommend the ISC BIND Administrators Reference Manual and DNS and BIND (by Cricket, L. and Albitz, P. published by O Reilly Media). You also need to consider the following aspects of HSM administration: The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards. The kind of key protection to be used and, if relevant, the number and quorum of Operator Cards in the OCS, and the policy for managing these cards. Whether the security world must be compliant with FIPS 140-2 level 3. Key attributes such as the key size, persistence, and time-out. Whether there is any need for auditing key usage. We recommend that you back up your security world whenever you create a new key. This is good practice in all situations. For more information, see the User Guide for the HSM. Additional documentation produced to support your Thales HSM product can be found in the document directory of the CD-ROM or DVD-ROM for that product. Throughout this guide, the term HSM refers to nshield Solo modules, nethsm, and nshield Connect products. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 5

Chapter 2: Procedures To integrate an HSM with BIND DNSSEC: 1 Install the HSM. 2 Install the nshield Support Software (ncss), and configure the security world. 3 Install and configure OpenSSL and BIND. 4 Sign a zone using the HSM. Installing the HSM Use the instructions in the product documentation to install the HSM. We recommend that you install the HSM before configuring the Thales software. Installing the software We recommend that you uninstall any existing Thales software before installing the new software. To install the Thales software and create the security world: 1 Install the latest version of the ncss with the PKCS #11 components selected, as described in the User Guide for the HSM. 2 Export the PATH environment variable to point to the /opt/nfast/bin directory: # export PATH=/opt/nfast/bin:$PATH 3 Create a security world if there is not already one present. For more information, see the User Guide. To verify that a security world exists, run the following command: # nfkmcheck Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 6

Installing and configuring OpenSSL and BIND 4 Open the file named cknfastrc in the directory where the Thales software is installed. The default directory is /opt/nfast. You might have to create the cknfastrc file, if it is not already present. - If you are using OCS protection, add the following environment variables: CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_USE_THREAD_UPCALLS=1 Create the OCS as described in the User Guide for the HSM. Ensure that your OCS pass phrase has a minimum of eight alphanumeric characters. - If you are using softcard protection, add the following environment variables: CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_LOADSHARING=1 CKNFAST_CARDSET_HASH=<softcard_hash> CKNFAST_USE_THREAD_UPCALLS=1 Create the softcard as described in the User Guide for the HSM, then run the utility ppmk --list and enter the hash provided for the softcard that you want to use. Ensure that your softcard pass phrase has a minimum of eight alphanumeric characters. - If you are using module-only protection, add the following environment variables: CKNFAST_FAKE_ACCELERATOR_LOGIN=1 CKNFAST_USE_THREAD_UPCALLS=1 5 Export the LD_LIBRARY_PATH environment variable to point to the Thales PKCS #11 library, by running the following command: # export LD_LIBRARY_PATH=/opt/nfast/toolkits/pkcs11/:$LD_LIBRARY_PATH Installing and configuring OpenSSL and BIND 1 Download and unzip openssl-0.9.8l.tar.gz from the following location: http://www.openssl.org/source/ Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 7

Installing and configuring OpenSSL and BIND 2 Download and unzip bind-9.7.3.tar.gz from the following location: http://www.isc.org/software/bind/973 In the example that follows, OpenSSL and BIND are unzipped in the /opt/directory. If you unzip OpenSSL and BIND in a different directory, adjust the steps as necessary. To configure OpenSSL: 1 Patch OpenSSL source for PKCS #11 support by running the following commands: # cd /opt/openssl-0.9.8l # patch -p1 < /opt/bind-9.7.3/bin/pkcs11/openssl-0.9.8l-patch 2 For Solaris 10 SPARC, export the following PATH environment variable: # export PATH=/usr/ccs/bin:/usr/local/ssl:/usr/local/ssl/bin:/usr/sfw/bin:/usr/local/bin:$PATH 3 Configure OpenSSL to build correctly by running the following commands: #./Configure linux-generic64 -m64 -pthread --pk11-libname=/opt/nfast/toolkits/pkcs11/libcknfast.so --pk11- flavor=crypto-accelerator --prefix=/opt/openssl-pkcs11 # make # make install The pk11 options are only available after installing the patch in step 1. In the above configure command: - --pk11-flavor must be set to crypto-accelerator. - --pk11-libname must point to the Thales PKCS #11 library. - --prefix is the location you wish to install this version of OpenSSL. If you are using Solaris 10 SPARC, replace linux-generic64 -m64 with solaris64-sparcv9- gcc. If you are using a 32-bit architecture, replace both instances of 64 with 32. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 8

Installing and configuring OpenSSL and BIND To configure and verify BIND: 1 Set the EXT_CFLAGS environment variable by running the following command: # export EXT_CFLAGS=-pthread 2 Configure BIND with PKCS #11 support by running the following commands: # cd /opt/bind-9.7.3 #./configure CC="gcc -m64" --enable-threads --with-openssl=/opt/openssl-pkcs11/ --withpkcs11=/opt/nfast/toolkits/pkcs11/libcknfast.so # make # make install In the above configure command: - --with-openssl must point to the openssl directory specified in Installing and configuring OpenSSL and BIND on page 7. - --with-pkcs11 must point to the Thales PKCS #11 library (the LD_LIBRARY_PATH environment variable set in Installing the software on page 6). If you are using a 32-bit architecture, replace 64 with 32. 3 To verify the installation, export the installed OpenSSL path and confirm that OpenSSL is configured with PKCS #11 support: # export PATH=/opt/openssl-pkcs11/bin/:$PATH # openssl engine pkcs11 -t The output should be as follows: (pkcs11) PKCS #11 engine support (crypto accelerator) [ available ] Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 9

Signing a zone using the HSM Signing a zone using the HSM This section creates an example zone file to demonstrate static zone signing using the HSM. Dynamic zone updates are automatically signed when submitted to named when dynamic DNSSEC is configured in the zone. This guide uses the default BIND working directory /var/named/chroot/var/named for the zone and key files. This path may vary for different machine configurations. Create an example zone file 1 Navigate to the working directory: # cd /var/named/chroot/var/named 2 Create an example zone file called master.thales-bindtest.org using the following as an example: ; Example zone fragment for thales-bindtest.org $TTL 2d ; default TTL is 2 days $ORIGIN thales-bindtest.org. @ IN SOA ns1.thales-bindtest.org. admin.thales-bindtest.org. ( 1 ; serial number 1M ; refresh = 1 minute 15M ; update retry = 15 minutes 3W12h ; expiry = 3 weeks + 12 hours 2h20M ; minimum = 2 hours + 20 minutes ) ; Main domain name servers IN NS ns1.thales-bindtest.org. ; A records for name servers above ns1 IN A 172.17.75.179 3 Edit the /etc/named.conf file: a b Ensure directory paths in /etc/named.conf file point to the /var/named/chroot/var/named directory. Add the zone information as follows: zone "thales-bindtest.org" in { type master; file "master.thales-bindtest.org"; }; Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 10

Signing a zone using the HSM 4 Verify the named.conf file: # named-checkconf /etc/named.conf 5 Verify the BIND version: # named -v This should display the version: BIND 9.7.3 6 Restart BIND: # service named stop # named The procedure for restarting BIND might vary for different machine configurations. The procedure above is given as an example. 7 Verify that BIND has successfully restarted: # rndc status Ensure that the output of rndc status displays the BIND version of 9.7.3. For further information on the rndc utility and BIND, see the ISC BIND Administrators Reference Manual. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 11

Signing a zone using the HSM 8 Use the DNS look-up utility dig to confirm that DNSSEC is not enabled by confirming an absence of Resource Record Signature (RRSIG) records in the query response: # dig +dnssec +multiline ns1.thales-bindtest.org @<IP address> For example: ; <<>> DiG 9.7.3 <<>> +dnssec +multiline ns1.thales-bindtest.org @172.17.75.179 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15657 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ns1.thales-bindtest.org. IN A ;; ANSWER SECTION: ns1.thales-bindtest.org. 172800 IN A 172.17.75.179 ;; AUTHORITY SECTION: thales-bindtest.org. 172800 IN NS ns1.thales-bindtest.org. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 29 15:09:26 2011 ;; MSG SIZE rcvd: 82 Generate the Key Signing Key (KSK) and Zone Signing Key (ZSK) This section explains how to create the Key Signing Key and Zone Signing Key. The BIND tool pkcs11-keygen generates the keys in the security world. The tool dnssec-keyfromlabel then creates two key files that represent the key. These key files have the following format: K<domainname>.<algorithm_id>.<key_id>.key K<domainname>.<algorithm_id>.<key_id>.private This example uses the default algorithm of RSASHA1 with 2048 bits for the KSK and ZSK. If you are in a Strict FIPS security world, you must provide your OCS or ACS for Strict FIPS authentication before you run the BIND commands described in the following sections. We recommend that you use your OCS rather than your ACS for security reasons. If you have a K-of-N card set with K greater than 1, you must include the preload command specifying the card set name in each of the BIND commands in the following steps, and use 761406613 as the slot ID where a slot ID is required. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 12

Signing a zone using the HSM Generate the KSK 1 Navigate to the working directory which contains the zone file: # cd /var/named/chroot/var/named 2 To generate the KSK: - With 1-of-N OCS protection: # pkcs11-keygen -b 2048 -l thales-bindtest-ksk -s 492971158 - With K-of-N OCS protection: # preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-keygen -b 2048 -l thales-bindtest- KSK -s 761406613 - With softcard protection: # ppmk --preload <softcard_name> pkcs11-keygen -b 2048 -l thales-bindtest-ksk -s 761406613 ppmk preload <softcard_name> is required if you are in a Strict FIPS security world with more than one module. To find the softcard name run the ppmk --list command. - With module protection: # pkcs11-keygen -b 2048 -l thales-bindtest-ksk -s 492971157 3 When prompted, enter your pass phrase. For module protection, press Return. A PKCS #11 key is created in the security world and located in the /opt/nfast/kmdata/local directory. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 13

Signing a zone using the HSM 4 Generate the public and private key files by running the following command. This uses the label of the key pair stored in the HSM, and constructs a DNS key pair for use by named and dnssec-signzone. The key files are created in the current working directory. - For 1-of-N OCS, softcard, and module protection: # dnssec-keyfromlabel -l thales-bindtest-ksk -f KSK thales-bindtest.org - For K-of-N OCS protection: # preload --module=<module_number> --cardset-name=<cardset_name> dnssec-keyfromlabel -l thales-bindtest-ksk -f KSK thales-bindtest.org When prompted, enter your pass phrase. For module protection, press Return. The -f option sets the Secure Entry Point bit, which is required when building a chain of trust. This guide does not cover the procedure to build a chain of trust. For more information, see the ISC BIND Administrators Reference Manual. 5 To verify key generation: - With 1-of-N OCS protected keys: # pkcs11-list -s 492971158 - With K-of-N OCS protected keys: # preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-list -s 761406613 - With softcard protected keys: # pkcs11-list -s 761406613 - With module protected keys: # pkcs11-list -s 492971157 Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 14

Signing a zone using the HSM 6 When prompted, enter your pass phrase. For module protection, press Return. The key object output should include the following two thales-bindtest-ksk entries: object[0]: handle 1119 class 3 label[19] 'thales-bindtest-ksk' id[0] object[1]: handle 1118 class 2 label[19] 'thales-bindtest-ksk' id[0] Generate the ZSK 1 To generate the ZSK: - With 1-of-N OCS protection: # pkcs11-keygen -b 2048 -l thales-bindtest-zsk -s 492971158 - With K-of-N OCS protection: # preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-keygen -b 2048 -l thales-bindtest- ZSK -s 761406613 - With softcard protection: # ppmk --preload <softcard_name> pkcs11-keygen -b 2048 -l thales-bindtest-zsk -s 761406613 ppmk preload <softcard_name> is required if you are in a Strict FIPS security world with more than one module. To find the softcard name run the ppmk --list command. - With module protection: # pkcs11-keygen -b 2048 -l thales-bindtest-zsk -s 492971157 2 When prompted, enter your pass phrase. For module protection, press Return. A PKCS #11 key is created in the security world and located in the /opt/nfast/kmdata/local directory. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 15

Signing a zone using the HSM 3 Generate the public and private key files by running the following command. This uses the label of the key pair stored in the HSM, and constructs a DNS key pair for use by named and dnssec-signzone. The key files are created in the current working directory. - For 1-of-N OCS, softcard, and module protection: # dnssec-keyfromlabel -l thales-bindtest-zsk thales-bindtest.org - For K-of-N OCS protection: # preload --module=<module_number> --cardset-name=<cardset_name> dnssec-keyfromlabel -l thales-bindtest-zsk thales-bindtest.org When prompted, enter your pass phrase. For module protection, press Return. 4 To verify key generation: - With 1-of-N OCS protected keys: # pkcs11-list -s 492971158 - With K-of-N OCS protected keys: # preload --module=<module_number> --cardset-name=<cardset_name> pkcs11-list -s 761406613 - With softcard protected keys: # pkcs11-list -s 761406613 - With module protected keys: # pkcs11-list -s 492971157 5 When prompted, enter your pass phrase. For module protection, press Return. The key object output should include the following two thales-bindtest-zsk entries: object[0]: handle 1120 class 3 label[19] 'thales-bindtest-zsk' id[0] object[1]: handle 1118 class 2 label[19] 'thales-bindtest-zsk' id[0] Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 16

Signing a zone using the HSM Sign the zone Use the keys generated above to sign the zone. In this example, the keys are in the working directory with the example zone file. The Smart Signing feature (-S) is used to sign the zone. This removes the need to specify key information in the zone file or specify the correct keys to be used for zone signing. 1 To sign the zone: - For 1-of-N OCS, softcard, and module protection: # dnssec-signzone -n1 -S -o thales-bindtest.org master.thales-bindtest.org - For K-of-N OCS protection: # preload --module=<module_number> --cardset-name=<cardset_name> dnssec-signzone -n1 -S -o thalesbindtest.org master.thales-bindtest.org 2 When prompted, enter your pass phrase. For module protection, press Return. A signed zone file is created in the working directory. 3 Edit the /etc/named.conf file to include the zone information for the signed zone: zone "thales-bindtest.org" in { type master; file "master.thales-bindtest.org.signed"; }; 4 In the options section of the file, add the following to enable DNSSEC: dnssec-enable yes; 5 Restart BIND: # rndc stop # named This guide does not cover the procedure for automatic zone signing or automatic key rollover. For more information, see the ISC BIND Administrators Reference Manual. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 17

Signing a zone using the HSM Verify DNSSEC Use the DNS look-up utility dig to verify DNSSEC: # dig +dnssec +multiline ns1.thales-bindtest.org @<IP address> The output should include RRSIG records in the query response. For example: ; <<>> DiG 9.7.3 <<>> +dnssec +multiline ns1.thales-bindtest.org @172.17.75.224 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24495 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ns1.thales-bindtest.org. IN A ;; ANSWER SECTION: ns1.thales-bindtest.org. 172800 IN A 172.17.75.179 ns1.thales-bindtest.org. 172800 IN RRSIG A 5 3 172800 20110520152612 ( 20110420152612 52516 thales-bindtest.org. Y1bcRU3LkY1ssWhmxNXIleCmwzAj3li8jmm33dCD/HXj pg/fmyirl9u/yalut9vinz0sbxxinvhatkhml5ckgx3y TpC75rYR5i8jnqrzJQTGwkWwFP0TnOaJ6avWLt3sU+aW Qw6A5MAOfxO4IYohkSCnavIc4IkAPBW3KNxIhD/Nzo/9 cvf/c9hldwqlne2i8vzbehh3tqmsmflge7vxet8osdnw 1RgRl/we1Sd5wChjjLotFKmL2/nomRHuspAGNwh93cd/ jjjooedl8mtxpzfekx+bge3jakmohxmemqxfzcxftsgx wiergr+6ss+sfgar/fsyfer0wmcrnmlf9g== ) ;; AUTHORITY SECTION: thales-bindtest.org. 172800 IN NS ns1.thales-bindtest.org. thales-bindtest.org. 172800 IN RRSIG NS 5 2 172800 20110520152612 ( 20110420152612 52516 thales-bindtest.org. 18VNnDgpRZlqGFLCmbqOLvRuetwvBm05EY4xXES1BDm+ xvenygpqhwp/uupa4z79qfw6jch2mqmwufdctabx8oru MPhUHED42glLg5wbX4XeQMTtAFSIeFanfdstZlVyPRm6 vsof2zpetowrqkgh/txpu1g1efa/x6p3u5g4kqdmcesq PCZT1wYa0lsr2FSGzo1XYBGafCsqSqpXUUfhgGCdScU8 cyuqikh62a8rpqywlhg7ngrmzowl7umqmyec3c1uj+fr Zj1ntGhKEs6ZeVItoGkThKm40h6oKBEpUP58WC5m2+2r QOyJcQVpUCAEBJx3Jnke2f20fXYVPu6CnA== ) ;; Query time: 0 msec ;; SERVER: 172.17.75.224#53(172.17.75.224) ;; WHEN: Wed Apr 20 17:26:35 2011 ;; MSG SIZE rcvd: 696 Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 18

Chapter 3: Troubleshooting The following table lists error messages that might be displayed during the procedures described in this guide. Error message Cause Resolution C_OpenSession: Error = 0x00000003 C_OpenSession: Error = 0x000000E1 C_Login: Error = 0x000000A0 C_Initialize: Error = 0x00000006 C_GenerateKeyPair: Error = 0x800000E0 dnssec-signzone: fatal: No signing keys specified or found Wrong slot ID specified or OCS not in slot. Token not recognized. Incorrect PIN, or environment variables not set. Security world unusable, or environment variables not set. FIPS Authentication required. No KSK or ZSK in the working directory. Ensure the correct slot ID is specified. For OCS protection: 1-of-N: -s 492971158 K-of-N: -s 761406613 Ensure the OCS is inserted correctly in the card reader. For softcard protection use -s 761406613. For module protection use -s 492971157. Incorrect card inserted into the slot. Ensure that the correct OCS from security world is inserted correctly in the card reader. Ensure the correct PIN is entered when requested. Ensure the correct environment variables are set (see Installing the software on page 6). Ensure a usable security world is in place and the module is in Operational mode. Ensure the correct environment variables are set (see Installing the software on page 6). Ensure the hardserver is running. If in a Strict FIPS security world, ensure that an OCS/ACS is inserted into the module slot for FIPS authentication. Generate KSK and ZSK as described in Generate the Key Signing Key (KSK) and Zone Signing Key (ZSK) on page 12, and attempt to re-sign the zone. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 19

Troubleshooting Error message Cause Resolution dnssec-signzone: fatal: could not initialize dst: no engine dnssec-signzone: warning: dns_dnssec_findmatchingkey s: error reading key file Kthalesbindtest.org.+005+59653.pr ivate: not found dnssecsignzone: warning: dns_dnssec_findmatchingkey s: error reading key file Kthalesbindtest.org.+005+55268.pr ivate: not found dnssecsignzone: fatal: No signing keys specified or found. Security world is unusable. Certain versions of BIND (at least up to 0.9.8) occasionally make an erroneous call to destroy the PKCS #11 private key object after signing a zone. Destroying the private key makes it permanently unavailable for use, and all subsequent attempts to sign will fail. Ensure a usable security world is in place and the module is in Operational mode. Ensure the hardserver is running. Ensure PKCS #11 engine support is available by running: # openssl engine pkcs11 -t This is a problem in BIND, not the Thales Support Software, so a full resolution must wait for a new version of BIND with the issue addressed. In the meantime, the following procedure is recommended: 1 The security world should always be backed up when a new key is created. This is good practice in all situations, not just with this issue. To back up the security world, make a copy of /opt/nfast/kmdata/local. 2 If the issue occurs, run pkcs11-list s <slot_number> which will indicate that the most recently generated key object is missing. 3 Restore the security world from backup. Either the single key file identified by pkcs11-list or the entire /opt/nfast/kmdata/local may be restored. 4 Run pkcs11-list again which should display an extra key object. 5 Attempt to sign the zone. Thales nshield HSM: Integration Guide for ISC BIND DNSSEC 1.1 20

Addresses Americas 2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200 sales@thalesesec.com Europe, Middle East, Africa Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800 emea.sales@thales-esecurity.com Asia Pacific Units 4101, 41/F. 248 Queen s Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633 asia.sales@thales-esecurity.com Internet addresses Web site: Support: Online documentation: International sales offices: www.thalesgroup.com/iss http://iss.thalesgroup.com/en/support.aspx http://iss.thalesgroup.com/resources.aspx http://iss.thalesgroup.com/en/company/contact%20us.aspx