From 23bb68fe7e9cc8af176ff60b56e8a51a70f05a89 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sun, 14 Feb 2021 01:35:10 +0000 Subject: Now generating pages directly from sqlite3 --- raw-wiki-dump/OpenDNSSEC.md | 138 -------------------------------------------- 1 file changed, 138 deletions(-) delete mode 100644 raw-wiki-dump/OpenDNSSEC.md (limited to 'raw-wiki-dump/OpenDNSSEC.md') diff --git a/raw-wiki-dump/OpenDNSSEC.md b/raw-wiki-dump/OpenDNSSEC.md deleted file mode 100644 index 49e2868..0000000 --- a/raw-wiki-dump/OpenDNSSEC.md +++ /dev/null @@ -1,138 +0,0 @@ -# DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 - -## Before you start, you'll need - - -- A Cryptech Alpha board, preferrably revision "rev03" -- APT on the host system configured to find packages in the Cryptech - - repository, see BinaryPackages for instructions - -``` -apt-get install cryptech-alpha opendnssec opensc -``` - -Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware]. - -## Configure the HSM - -For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. -In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing. - -``` -# eval $(cryptech_probe) -# cryptech_muxd & -# cryptech_console - -Username: wheel -Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding - -cryptech> keystore set pin wheel supersikritnewpw -cryptech> keystore set pin so 123456 -cryptech> keystore set pin user 1234 - -cryptech> masterkey set EFBEADDE -^C -``` - -Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM. - - -## Configure OpenDNSSEC - -``` -mkdir /var/lib/opendnssec/cryptech - -cat > /var/lib/opendnssec/unsigned/example.com << EOF -\$TTL 600 -example.com. IN SOA hidden-master.example.com. hostmaster.example.com. ( - 2016041401 ; serial - 720 ; 28800 ; refresh (8 hours) - 720 ; 7200 ; retry (2 hours) - 300 ; 604800 ; expire (1 week) - 120 ; 3600 ; minimum (1 hour) - ) - - NS lab.cryptech.is. -test A 127.0.0.1 -EOF - -chown -R opendnssec: /var/lib/opendnssec/* -``` - - -## OpenDNSSEC configuration changes - -/etc/opendnssec/conf.xml: - -``` - - /usr/lib/libcryptech-pkcs11.so - Cryptech Token - 1234 - - -``` - -The PIN is whatever was chosen as PIN for 'user' above. -The TokenLabel has to be "Cryptech Token", not something you choose. - - -/etc/opendnssec/kasp.xml: - - s/SoftHSM/Cryptech/ - -/etc/opendnssec/zonelist.xml: - -``` - - lab - /var/lib/opendnssec/signconf/example.com.xml - - - /var/lib/opendnssec/unsigned/example.com - - - /var/lib/opendnssec/signed/example.com - - - -``` - - -## Initialization and signing - -Make the deamons reload their configuration: - -``` - service opendnssec-enforcer restart - service opendnssec-signer restart -``` - -Initialize opendnssec: - -``` - ods-ksmutil setup -``` - -That should be it! - -See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. -See /var/lib/opendnssec/signed/ for a signed example.com zone. - -To list keys using ods-ksmutil, accessing the HSM using pkcs11 -directly (rather than going through any of the opendnssec daemons), -export the environment variables from /etc/default/opendnssec and run -"ods-ksmutil keys list --verbose": - -``` -# ods-ksmutil keys list --verbose -SQLite database set to: /var/lib/opendnssec/kasp.db -Keys: -Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: -example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642 -example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620 -``` - -If the output for repository is "Cryptech NOT IN repository", -ods-ksmutil has not been able to actually list the keys in the HSM. -- cgit v1.2.3