From b092ffbcbe2c9398494f7dc9db6f0796971633e0 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sun, 13 Sep 2020 23:04:30 +0000 Subject: Import Cryptech wiki dump --- raw-wiki-dump/OpenDNSSEC | 136 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 raw-wiki-dump/OpenDNSSEC (limited to 'raw-wiki-dump/OpenDNSSEC') diff --git a/raw-wiki-dump/OpenDNSSEC b/raw-wiki-dump/OpenDNSSEC new file mode 100644 index 0000000..1526a29 --- /dev/null +++ b/raw-wiki-dump/OpenDNSSEC @@ -0,0 +1,136 @@ += DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 = + +== Before you start, you'll need == + +- A Cryptech Alpha board, preferrably revision "rev03" +- APT on the host system configured to find packages in the Cryptech + repository, see BinaryPackages for instructions + +{{{ +apt-get install cryptech-alpha opendnssec opensc +}}} + +Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware]. + +== Configure the HSM == + +For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. +In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing. + +{{{ +# eval $(cryptech_probe) +# cryptech_muxd & +# cryptech_console + +Username: wheel +Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding + +cryptech> keystore set pin wheel supersikritnewpw +cryptech> keystore set pin so 123456 +cryptech> keystore set pin user 1234 + +cryptech> masterkey set EFBEADDE +^C +}}} + +Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM. + + +== Configure OpenDNSSEC == + +{{{ +mkdir /var/lib/opendnssec/cryptech + +cat > /var/lib/opendnssec/unsigned/example.com << EOF +\$TTL 600 +example.com. IN SOA hidden-master.example.com. hostmaster.example.com. ( + 2016041401 ; serial + 720 ; 28800 ; refresh (8 hours) + 720 ; 7200 ; retry (2 hours) + 300 ; 604800 ; expire (1 week) + 120 ; 3600 ; minimum (1 hour) + ) + + NS lab.cryptech.is. +test A 127.0.0.1 +EOF + +chown -R opendnssec: /var/lib/opendnssec/* +}}} + + +== OpenDNSSEC configuration changes == + +/etc/opendnssec/conf.xml: + +{{{ + + /usr/lib/libcryptech-pkcs11.so + Cryptech Token + 1234 + + +}}} + +The PIN is whatever was chosen as PIN for 'user' above. +The !TokenLabel has to be "Cryptech Token", not something you choose. + + +/etc/opendnssec/kasp.xml: + + s/SoftHSM/Cryptech/ + +/etc/opendnssec/zonelist.xml: + +{{{ + + lab + /var/lib/opendnssec/signconf/example.com.xml + + + /var/lib/opendnssec/unsigned/example.com + + + /var/lib/opendnssec/signed/example.com + + + +}}} + + +== Initialization and signing == + +Make the deamons reload their configuration: + +{{{ + service opendnssec-enforcer restart + service opendnssec-signer restart +}}} + +Initialize opendnssec: + +{{{ + ods-ksmutil setup +}}} + +That should be it! + +See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. +See /var/lib/opendnssec/signed/ for a signed example.com zone. + +To list keys using ods-ksmutil, accessing the HSM using pkcs11 +directly (rather than going through any of the opendnssec daemons), +export the environment variables from /etc/default/opendnssec and run +"ods-ksmutil keys list --verbose": + +{{{ +# ods-ksmutil keys list --verbose +SQLite database set to: /var/lib/opendnssec/kasp.db +Keys: +Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: +example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642 +example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620 +}}} + +If the output for repository is "Cryptech NOT IN repository", +ods-ksmutil has not been able to actually list the keys in the HSM. \ No newline at end of file -- cgit v1.2.3