From 891730d13b324fad916572a82f0bd610c5de9aad Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sun, 13 Sep 2020 23:06:24 +0000 Subject: Rename for conversion --- raw-wiki-dump/OpenDNSSEC | 136 ----------------------------------------------- 1 file changed, 136 deletions(-) delete mode 100644 raw-wiki-dump/OpenDNSSEC (limited to 'raw-wiki-dump/OpenDNSSEC') diff --git a/raw-wiki-dump/OpenDNSSEC b/raw-wiki-dump/OpenDNSSEC deleted file mode 100644 index 1526a29..0000000 --- a/raw-wiki-dump/OpenDNSSEC +++ /dev/null @@ -1,136 +0,0 @@ -= DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 = - -== Before you start, you'll need == - -- A Cryptech Alpha board, preferrably revision "rev03" -- APT on the host system configured to find packages in the Cryptech - repository, see BinaryPackages for instructions - -{{{ -apt-get install cryptech-alpha opendnssec opensc -}}} - -Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware]. - -== Configure the HSM == - -For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. -In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing. - -{{{ -# eval $(cryptech_probe) -# cryptech_muxd & -# cryptech_console - -Username: wheel -Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding - -cryptech> keystore set pin wheel supersikritnewpw -cryptech> keystore set pin so 123456 -cryptech> keystore set pin user 1234 - -cryptech> masterkey set EFBEADDE -^C -}}} - -Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM. - - -== Configure OpenDNSSEC == - -{{{ -mkdir /var/lib/opendnssec/cryptech - -cat > /var/lib/opendnssec/unsigned/example.com << EOF -\$TTL 600 -example.com. IN SOA hidden-master.example.com. hostmaster.example.com. ( - 2016041401 ; serial - 720 ; 28800 ; refresh (8 hours) - 720 ; 7200 ; retry (2 hours) - 300 ; 604800 ; expire (1 week) - 120 ; 3600 ; minimum (1 hour) - ) - - NS lab.cryptech.is. -test A 127.0.0.1 -EOF - -chown -R opendnssec: /var/lib/opendnssec/* -}}} - - -== OpenDNSSEC configuration changes == - -/etc/opendnssec/conf.xml: - -{{{ - - /usr/lib/libcryptech-pkcs11.so - Cryptech Token - 1234 - - -}}} - -The PIN is whatever was chosen as PIN for 'user' above. -The !TokenLabel has to be "Cryptech Token", not something you choose. - - -/etc/opendnssec/kasp.xml: - - s/SoftHSM/Cryptech/ - -/etc/opendnssec/zonelist.xml: - -{{{ - - lab - /var/lib/opendnssec/signconf/example.com.xml - - - /var/lib/opendnssec/unsigned/example.com - - - /var/lib/opendnssec/signed/example.com - - - -}}} - - -== Initialization and signing == - -Make the deamons reload their configuration: - -{{{ - service opendnssec-enforcer restart - service opendnssec-signer restart -}}} - -Initialize opendnssec: - -{{{ - ods-ksmutil setup -}}} - -That should be it! - -See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. -See /var/lib/opendnssec/signed/ for a signed example.com zone. - -To list keys using ods-ksmutil, accessing the HSM using pkcs11 -directly (rather than going through any of the opendnssec daemons), -export the environment variables from /etc/default/opendnssec and run -"ods-ksmutil keys list --verbose": - -{{{ -# ods-ksmutil keys list --verbose -SQLite database set to: /var/lib/opendnssec/kasp.db -Keys: -Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: -example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642 -example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620 -}}} - -If the output for repository is "Cryptech NOT IN repository", -ods-ksmutil has not been able to actually list the keys in the HSM. \ No newline at end of file -- cgit v1.2.3