diff options
Diffstat (limited to 'wiki/OpenDNSSEC.trac')
-rw-r--r-- | wiki/OpenDNSSEC.trac | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/wiki/OpenDNSSEC.trac b/wiki/OpenDNSSEC.trac new file mode 100644 index 0000000..1526a29 --- /dev/null +++ b/wiki/OpenDNSSEC.trac @@ -0,0 +1,136 @@ += DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 =
+
+== Before you start, you'll need ==
+
+- A Cryptech Alpha board, preferrably revision "rev03"
+- APT on the host system configured to find packages in the Cryptech
+ repository, see BinaryPackages for instructions
+
+{{{
+apt-get install cryptech-alpha opendnssec opensc
+}}}
+
+Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware].
+
+== Configure the HSM ==
+
+For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC.
+In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.
+
+{{{
+# eval $(cryptech_probe)
+# cryptech_muxd &
+# cryptech_console
+
+Username: wheel
+Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
+
+cryptech> keystore set pin wheel supersikritnewpw
+cryptech> keystore set pin so 123456
+cryptech> keystore set pin user 1234
+
+cryptech> masterkey set EFBEADDE
+^C
+}}}
+
+Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM.
+
+
+== Configure OpenDNSSEC ==
+
+{{{
+mkdir /var/lib/opendnssec/cryptech
+
+cat > /var/lib/opendnssec/unsigned/example.com << EOF
+\$TTL 600
+example.com. IN SOA hidden-master.example.com. hostmaster.example.com. (
+ 2016041401 ; serial
+ 720 ; 28800 ; refresh (8 hours)
+ 720 ; 7200 ; retry (2 hours)
+ 300 ; 604800 ; expire (1 week)
+ 120 ; 3600 ; minimum (1 hour)
+ )
+
+ NS lab.cryptech.is.
+test A 127.0.0.1
+EOF
+
+chown -R opendnssec: /var/lib/opendnssec/*
+}}}
+
+
+== OpenDNSSEC configuration changes ==
+
+/etc/opendnssec/conf.xml:
+
+{{{
+<Repository name="Cryptech">
+ <Module>/usr/lib/libcryptech-pkcs11.so</Module>
+ <TokenLabel>Cryptech Token</TokenLabel>
+ <PIN>1234</PIN>
+ <SkipPublicKey/>
+</Repository>
+}}}
+
+The PIN is whatever was chosen as PIN for 'user' above.
+The !TokenLabel has to be "Cryptech Token", not something you choose.
+
+
+/etc/opendnssec/kasp.xml:
+
+ s/SoftHSM/Cryptech/
+
+/etc/opendnssec/zonelist.xml:
+
+{{{
+<Zone name="example.com">
+ <Policy>lab</Policy>
+ <SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
+ <Adapters>
+ <Input>
+ <Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter>
+ </Input>
+ <Output>
+ <Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter>
+ </Output>
+ </Adapters>
+</Zone>
+}}}
+
+
+== Initialization and signing ==
+
+Make the deamons reload their configuration:
+
+{{{
+ service opendnssec-enforcer restart
+ service opendnssec-signer restart
+}}}
+
+Initialize opendnssec:
+
+{{{
+ ods-ksmutil setup
+}}}
+
+That should be it!
+
+See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd.
+See /var/lib/opendnssec/signed/ for a signed example.com zone.
+
+To list keys using ods-ksmutil, accessing the HSM using pkcs11
+directly (rather than going through any of the opendnssec daemons),
+export the environment variables from /etc/default/opendnssec and run
+"ods-ksmutil keys list --verbose":
+
+{{{
+# ods-ksmutil keys list --verbose
+SQLite database set to: /var/lib/opendnssec/kasp.db
+Keys:
+Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
+example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642
+example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620
+}}}
+
+If the output for repository is "Cryptech NOT IN repository",
+ods-ksmutil has not been able to actually list the keys in the HSM.
\ No newline at end of file |