summaryrefslogtreecommitdiff
path: root/markdown/OpenDNSSEC.md
diff options
context:
space:
mode:
Diffstat (limited to 'markdown/OpenDNSSEC.md')
-rw-r--r--markdown/OpenDNSSEC.md138
1 files changed, 138 insertions, 0 deletions
diff --git a/markdown/OpenDNSSEC.md b/markdown/OpenDNSSEC.md
new file mode 100644
index 0000000..49e2868
--- /dev/null
+++ b/markdown/OpenDNSSEC.md
@@ -0,0 +1,138 @@
+# DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03
+
+## Before you start, you'll need
+
+
+- A Cryptech Alpha board, preferrably revision "rev03"
+- APT on the host system configured to find packages in the Cryptech
+
+ repository, see BinaryPackages for instructions
+
+```
+apt-get install cryptech-alpha opendnssec opensc
+```
+
+Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware].
+
+## Configure the HSM
+
+For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC.
+In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.
+
+```
+# eval $(cryptech_probe)
+# cryptech_muxd &
+# cryptech_console
+
+Username: wheel
+Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
+
+cryptech> keystore set pin wheel supersikritnewpw
+cryptech> keystore set pin so 123456
+cryptech> keystore set pin user 1234
+
+cryptech> masterkey set EFBEADDE
+^C
+```
+
+Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM.
+
+
+## Configure OpenDNSSEC
+
+```
+mkdir /var/lib/opendnssec/cryptech
+
+cat > /var/lib/opendnssec/unsigned/example.com << EOF
+\$TTL 600
+example.com. IN SOA hidden-master.example.com. hostmaster.example.com. (
+ 2016041401 ; serial
+ 720 ; 28800 ; refresh (8 hours)
+ 720 ; 7200 ; retry (2 hours)
+ 300 ; 604800 ; expire (1 week)
+ 120 ; 3600 ; minimum (1 hour)
+ )
+
+ NS lab.cryptech.is.
+test A 127.0.0.1
+EOF
+
+chown -R opendnssec: /var/lib/opendnssec/*
+```
+
+
+## OpenDNSSEC configuration changes
+
+/etc/opendnssec/conf.xml:
+
+```
+<Repository name="Cryptech">
+ <Module>/usr/lib/libcryptech-pkcs11.so</Module>
+ <TokenLabel>Cryptech Token</TokenLabel>
+ <PIN>1234</PIN>
+ <SkipPublicKey/>
+</Repository>
+```
+
+The PIN is whatever was chosen as PIN for 'user' above.
+The TokenLabel has to be "Cryptech Token", not something you choose.
+
+
+/etc/opendnssec/kasp.xml:
+
+ s/SoftHSM/Cryptech/
+
+/etc/opendnssec/zonelist.xml:
+
+```
+<Zone name="example.com">
+ <Policy>lab</Policy>
+ <SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
+ <Adapters>
+ <Input>
+ <Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter>
+ </Input>
+ <Output>
+ <Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter>
+ </Output>
+ </Adapters>
+</Zone>
+```
+
+
+## Initialization and signing
+
+Make the deamons reload their configuration:
+
+```
+ service opendnssec-enforcer restart
+ service opendnssec-signer restart
+```
+
+Initialize opendnssec:
+
+```
+ ods-ksmutil setup
+```
+
+That should be it!
+
+See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd.
+See /var/lib/opendnssec/signed/ for a signed example.com zone.
+
+To list keys using ods-ksmutil, accessing the HSM using pkcs11
+directly (rather than going through any of the opendnssec daemons),
+export the environment variables from /etc/default/opendnssec and run
+"ods-ksmutil keys list --verbose":
+
+```
+# ods-ksmutil keys list --verbose
+SQLite database set to: /var/lib/opendnssec/kasp.db
+Keys:
+Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
+example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642
+example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620
+```
+
+If the output for repository is "Cryptech NOT IN repository",
+ods-ksmutil has not been able to actually list the keys in the HSM.