diff options
Diffstat (limited to 'markdown/OpenDNSSEC.md')
-rw-r--r-- | markdown/OpenDNSSEC.md | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/markdown/OpenDNSSEC.md b/markdown/OpenDNSSEC.md new file mode 100644 index 0000000..49e2868 --- /dev/null +++ b/markdown/OpenDNSSEC.md @@ -0,0 +1,138 @@ +# DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 + +## Before you start, you'll need + + +- A Cryptech Alpha board, preferrably revision "rev03" +- APT on the host system configured to find packages in the Cryptech + + repository, see BinaryPackages for instructions + +``` +apt-get install cryptech-alpha opendnssec opensc +``` + +Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware]. + +## Configure the HSM + +For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. +In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing. + +``` +# eval $(cryptech_probe) +# cryptech_muxd & +# cryptech_console + +Username: wheel +Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding + +cryptech> keystore set pin wheel supersikritnewpw +cryptech> keystore set pin so 123456 +cryptech> keystore set pin user 1234 + +cryptech> masterkey set EFBEADDE +^C +``` + +Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM. + + +## Configure OpenDNSSEC + +``` +mkdir /var/lib/opendnssec/cryptech + +cat > /var/lib/opendnssec/unsigned/example.com << EOF +\$TTL 600 +example.com. IN SOA hidden-master.example.com. hostmaster.example.com. ( + 2016041401 ; serial + 720 ; 28800 ; refresh (8 hours) + 720 ; 7200 ; retry (2 hours) + 300 ; 604800 ; expire (1 week) + 120 ; 3600 ; minimum (1 hour) + ) + + NS lab.cryptech.is. +test A 127.0.0.1 +EOF + +chown -R opendnssec: /var/lib/opendnssec/* +``` + + +## OpenDNSSEC configuration changes + +/etc/opendnssec/conf.xml: + +``` +<Repository name="Cryptech"> + <Module>/usr/lib/libcryptech-pkcs11.so</Module> + <TokenLabel>Cryptech Token</TokenLabel> + <PIN>1234</PIN> + <SkipPublicKey/> +</Repository> +``` + +The PIN is whatever was chosen as PIN for 'user' above. +The TokenLabel has to be "Cryptech Token", not something you choose. + + +/etc/opendnssec/kasp.xml: + + s/SoftHSM/Cryptech/ + +/etc/opendnssec/zonelist.xml: + +``` +<Zone name="example.com"> + <Policy>lab</Policy> + <SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration> + <Adapters> + <Input> + <Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter> + </Input> + <Output> + <Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter> + </Output> + </Adapters> +</Zone> +``` + + +## Initialization and signing + +Make the deamons reload their configuration: + +``` + service opendnssec-enforcer restart + service opendnssec-signer restart +``` + +Initialize opendnssec: + +``` + ods-ksmutil setup +``` + +That should be it! + +See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. +See /var/lib/opendnssec/signed/ for a signed example.com zone. + +To list keys using ods-ksmutil, accessing the HSM using pkcs11 +directly (rather than going through any of the opendnssec daemons), +export the environment variables from /etc/default/opendnssec and run +"ods-ksmutil keys list --verbose": + +``` +# ods-ksmutil keys list --verbose +SQLite database set to: /var/lib/opendnssec/kasp.db +Keys: +Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: +example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642 +example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620 +``` + +If the output for repository is "Cryptech NOT IN repository", +ods-ksmutil has not been able to actually list the keys in the HSM. |