Where are /opt/bind9/... directories in FreeBSD

HL1234

Active Member

Reaction score: 11
Messages: 164

For some PKCS#11 configuration I found examples what to do, but nothing with FreeBSD as OS.
Like:
PKCS#11 in BIND 9 - Configuring OpenSSL to use engine_pkcs11
https://gitlab.isc.org/isc-projects...CS11#configuring-openssl-to-use-engine_pkcs11

But I do not now know, where the directory are in FreeBSD like
Code:
/opt/bind9/etc/
/opt/bind9/engines
/opt/bind9/lib/tokens   this is maybe that /var/lib/softhsm/tokens/
which are written in the description (see link),
What does he means with /opt/bind9/...? This looks like Linux.

In FreeBSD we get /usr/local/sbin/named and /usr/local/etc/namedb (not chrooted)

Have anyone such an example like above but with FreeBSD, and with installing all from the ports, and configuration examples for that?
 
Last edited:

Jose

Daemon

Reaction score: 903
Messages: 1,107

What does he means with /opt/bind9/...? This looks like Linux.
I first ran into an /opt directory on Solaris, and it does seem that is still a thing on that os.

It' supposedly still a thing in Linux as well, but you have to understand that Linux is much too modern and dynamic to worry about things like compliance with a standard.

Edit: It is not a thing on Freebsd. Despite what that Wikipedia page says, the directory layout in Freebsd is described in the hier(7) man page.
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 164

Maybe my question was not good verbalized. I know the directory layout in FreeBSD.

What are the comparable directories for
/opt/bind9/etc/
/opt/bind9/engines
/opt/bind9/lib/..
on FreeBSD?
 

PMc

Daemon

Reaction score: 671
Messages: 1,354

Sorry I didn't yet manage to look closely into DNSSEC, so cannot help with configs. I did integrate with Kerberos, and that was fun already...

Which openssl are you using? From base or from ports?
If from base, then your engines should be in /usr/lib/engines, because they're part of ssh, and ssh is part of base. /usr/local/etc/rc.d/named has this path configured and will copy them into chroot when chroot is used.
But then, you probably don't need this, because security/libp11 exists as a port. security/softhsm2 seems also to exist.

The other things should then be in /usr/local/etc/named and /usr/local/lib/named, respectively. They seem to get declared via environment-variables and config files, so the actually used path is not so critical.

The real fun will start when you then try to chroot that beast... ;).
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 164

Which openssl are you using? From base or from ports?

/usr/local/etc/rc.d/named has this path configured and will copy them into chroot when chroot is used.
But then, you probably don't need this, because security/libp11 exists as a port. security/softhsm2 seems also to exist.

The other things should then be in /usr/local/etc/named and /usr/local/lib/named, respectively. They seem to get declared via environment-variables and config files, so the actually used path is not so critical.
Sorry for the late reply.
I use openssl from the ports. In /usr/local/lib/engines I find
lrwxr-xr-x 1 root wheel 9 Juli 24 21:05 libpkcs11.so -> pkcs11.so
-rwxr-xr-x 1 root wheel 86120 Juli 24 21:05 pkcs11.so
Do I understand right, that you thing I should take /usr/local/etc/named for /opt/bind9/? And should I use /usr/local/etc/ for /opt/bind9/etc or also /usr/local/etc/named to copy openssl.conf openssl.cnf?
 

PMc

Daemon

Reaction score: 671
Messages: 1,354

Sorry for the late reply.
I use openssl from the ports. In /usr/local/lib/engines I find

Do I understand right, that you thing I should take /usr/local/etc/named for /opt/bind9/?
Not in full. An identical analogon to /opt/bind9/ itself doesn't exist here, because things are swapped: /opt/bind9/etc becomes /usr/local/etc/named, /opt/bind9/lib becomes /usr/local/lib/named, and so on.
And should I use /usr/local/etc/ for /opt/bind9/etc or also /usr/local/etc/named to copy openssl.conf?
Careful. You can put openssl.conf at any place you want, as long as you put the chosen path into the other configs that shall use it. If the path is missing, the default instalallation openssl.conf is used. The default installation openssl.conf is /etc/ssl/openssl.conf in my case (with ssl from base). In your case with ssl from ports, the default openssl.conf must be somewhere under /usr/local, probably either /usr/local/etc/openssl.conf or /usr/local/etc/ssl/openssl.conf.
Figure that out, and then take care that you do not mix these two, the default openssl.conf that comes along with ssl-from-ports, and the one you are creating. Therefore I would put it into /usr/local/etc/named.conf (or even give it a different name).
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 164

Thanks for reply.
First I changed the name: not .conf but .cnf - right: openssl.cnf
I found a lot openssl.cnf files on my system, like
Code:
/etc/ssl/openssl.cnf
/usr/local/etc/ssl/openssl.cnf
/usr/local/openssl/openssl.cnf
/usr/local/share/examples/dovecot/dovecot-openssl.cnf
/usr/src/crypto/openssl/apps/openssl.cnf
/var/db/etcupdate/current/etc/ssl/openssl.cnf
with
Code:
ll /usr/local/openssl/openssl.cnf
lrwxr-xr-x 1 root wheel 30 Juni 11  2019 /usr/local/openssl/openssl.cnf -> /usr/local/etc/ssl/openssl.cnf
I want not to move it - I will copy it and then change it.
Thanks for the advice for the directories.
In /usr/local/lib/named I find
Code:
-rw-r--r--  1 root wheel 22296 Juli 24 16:51 filter-aaaa.so
but I think this comes with the installation of BIND

In between I think I had misunderstood the option with comment:
Choose which crypto engine to use: you can only select none or one of them
( ) NATIVE_PKCS11 Use PKCS#11 native API (**READ HELP**)
There was nothing selected, so I selected one of them. It is confusing when a radio button can be deselected.
If I can get the howto to work I will install bind without that PKCS#11 - and that should work. Now I have to set the -E "" parameter to named with the path to correct engine or it can not start. there is no way to disable that.
 
Last edited by a moderator:
Top