Hack images, store outputs in git again for now

Easier to track what each script change does if we keep the before and after versions of the markdown in git too. Clean this up eventually, but simplifies development.
author: Rob Austein <sra@hactrn.net> 2021-02-14 01:55:38 +0000
committer: Rob Austein <sra@hactrn.net> 2021-02-14 01:55:38 +0000
commit: b58c60bcc4a6f3d3ccf4194ef862a808fdc3313b (patch)
tree: ad43c2b937db286c2b3320b57066a9581264444a /markdown/OpenDNSSEC.md
parent: 23bb68fe7e9cc8af176ff60b56e8a51a70f05a89 (diff)
1 files changed, 138 insertions, 0 deletions
diff --git a/markdown/OpenDNSSEC.md b/markdown/OpenDNSSEC.md
new file mode 100644
index 0000000..49e2868
--- /dev/null
+++ b/markdown/OpenDNSSEC.md
@@ -0,0 +1,138 @@
+# DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03
+
+## Before you start, you'll need
+
+
+- A Cryptech Alpha board, preferrably revision "rev03"
+- APT on the host system configured to find packages in the Cryptech
+
+  repository, see BinaryPackages for instructions
+
+```
+apt-get install cryptech-alpha opendnssec opensc
+```
+
+Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware].
+
+## Configure the HSM
+
+For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC.
+In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.
+
+```
+# eval $(cryptech_probe)
+# cryptech_muxd &
+# cryptech_console
+
+Username: wheel
+Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
+
+cryptech> keystore set pin wheel supersikritnewpw
+cryptech> keystore set pin so 123456
+cryptech> keystore set pin user 1234
+
+cryptech> masterkey set EFBEADDE
+^C
+```
+
+Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM.
+
+
+## Configure OpenDNSSEC
+
+```
+mkdir /var/lib/opendnssec/cryptech
+
+cat > /var/lib/opendnssec/unsigned/example.com << EOF
+\$TTL 600
+example.com.  IN SOA  hidden-master.example.com. hostmaster.example.com. (
+                                2016041401 ; serial
+                                720        ; 28800      ; refresh (8 hours)
+                                720        ; 7200       ; retry (2 hours)
+                                300        ; 604800     ; expire (1 week)
+                                120        ; 3600       ; minimum (1 hour)
+                                )
+
+               NS      lab.cryptech.is.
+test           A       127.0.0.1
+EOF
+
+chown -R opendnssec: /var/lib/opendnssec/*
+```
+
+
+## OpenDNSSEC configuration changes
+
+/etc/opendnssec/conf.xml:
+
+```
+<Repository name="Cryptech">
+        <Module>/usr/lib/libcryptech-pkcs11.so</Module>
+        <TokenLabel>Cryptech Token</TokenLabel>
+        <PIN>1234</PIN>
+        <SkipPublicKey/>
+</Repository>
+```
+
+The PIN is whatever was chosen as PIN for 'user' above.
+The TokenLabel has to be "Cryptech Token", not something you choose.
+
+
+/etc/opendnssec/kasp.xml:
+
+    s/SoftHSM/Cryptech/
+
+/etc/opendnssec/zonelist.xml:
+
+```
+<Zone name="example.com">
+        <Policy>lab</Policy>
+        <SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
+        <Adapters>
+                <Input>
+                        <Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter>
+                </Input>
+                <Output>
+                        <Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter>
+                </Output>
+        </Adapters>
+</Zone>
+```
+
+
+## Initialization and signing
+
+Make the deamons reload their configuration:
+
+```
+    service opendnssec-enforcer restart
+    service opendnssec-signer restart
+```
+
+Initialize opendnssec:
+
+```
+    ods-ksmutil setup
+```
+
+That should be it!
+
+See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd.
+See /var/lib/opendnssec/signed/ for a signed example.com zone.
+
+To list keys using ods-ksmutil, accessing the HSM using pkcs11
+directly (rather than going through any of the opendnssec daemons),
+export the environment variables from /etc/default/opendnssec and run
+"ods-ksmutil keys list --verbose":
+
+```
+# ods-ksmutil keys list --verbose
+SQLite database set to: /var/lib/opendnssec/kasp.db
+Keys:
+Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
+example.com                     KSK           ready     waiting for ds-seen (active)   2048    8           7f9b9329480ebe5dc81054ccb293e261  Cryptech                          62642
+example.com                     ZSK           active    2016-07-13 19:04:30 (retire)   1024    8           97e972633613bd605944a0531ff5399b  Cryptech                          56620
+```
+
+If the output for repository is "Cryptech NOT IN repository",
+ods-ksmutil has not been able to actually list the keys in the HSM.
author	Rob Austein <sra@hactrn.net>	2021-02-14 01:55:38 +0000
committer	Rob Austein <sra@hactrn.net>	2021-02-14 01:55:38 +0000
commit	b58c60bcc4a6f3d3ccf4194ef862a808fdc3313b (patch)
tree	ad43c2b937db286c2b3320b57066a9581264444a /markdown/OpenDNSSEC.md
parent	23bb68fe7e9cc8af176ff60b56e8a51a70f05a89 (diff)