aboutsummaryrefslogtreecommitdiff
path: root/tracwiki/OpenDNSSEC.trac
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2021-02-14 16:01:15 +0000
committerRob Austein <sra@hactrn.net>2021-02-14 16:01:15 +0000
commite18e5b3d2559f5f0395ffe79416cdca3abc89310 (patch)
tree340bdc43c4bfa7bcc3c048eea4db848cabe470de /tracwiki/OpenDNSSEC.trac
parentad1cc0517983e599897929b4c94463bf2af78f7c (diff)
Start restructuring for Pelican
Diffstat (limited to 'tracwiki/OpenDNSSEC.trac')
-rw-r--r--tracwiki/OpenDNSSEC.trac136
1 files changed, 0 insertions, 136 deletions
diff --git a/tracwiki/OpenDNSSEC.trac b/tracwiki/OpenDNSSEC.trac
deleted file mode 100644
index 1526a29..0000000
--- a/tracwiki/OpenDNSSEC.trac
+++ /dev/null
@@ -1,136 +0,0 @@
-= DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 =
-
-== Before you start, you'll need ==
-
-- A Cryptech Alpha board, preferrably revision "rev03"
-- APT on the host system configured to find packages in the Cryptech
- repository, see BinaryPackages for instructions
-
-{{{
-apt-get install cryptech-alpha opendnssec opensc
-}}}
-
-Once you have the software package installed, you may need to [wiki:Upgrading upgrade your HSM's firmware].
-
-== Configure the HSM ==
-
-For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC.
-In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.
-
-{{{
-# eval $(cryptech_probe)
-# cryptech_muxd &
-# cryptech_console
-
-Username: wheel
-Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
-
-cryptech> keystore set pin wheel supersikritnewpw
-cryptech> keystore set pin so 123456
-cryptech> keystore set pin user 1234
-
-cryptech> masterkey set EFBEADDE
-^C
-}}}
-
-Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM.
-
-
-== Configure OpenDNSSEC ==
-
-{{{
-mkdir /var/lib/opendnssec/cryptech
-
-cat > /var/lib/opendnssec/unsigned/example.com << EOF
-\$TTL 600
-example.com. IN SOA hidden-master.example.com. hostmaster.example.com. (
- 2016041401 ; serial
- 720 ; 28800 ; refresh (8 hours)
- 720 ; 7200 ; retry (2 hours)
- 300 ; 604800 ; expire (1 week)
- 120 ; 3600 ; minimum (1 hour)
- )
-
- NS lab.cryptech.is.
-test A 127.0.0.1
-EOF
-
-chown -R opendnssec: /var/lib/opendnssec/*
-}}}
-
-
-== OpenDNSSEC configuration changes ==
-
-/etc/opendnssec/conf.xml:
-
-{{{
-<Repository name="Cryptech">
- <Module>/usr/lib/libcryptech-pkcs11.so</Module>
- <TokenLabel>Cryptech Token</TokenLabel>
- <PIN>1234</PIN>
- <SkipPublicKey/>
-</Repository>
-}}}
-
-The PIN is whatever was chosen as PIN for 'user' above.
-The !TokenLabel has to be "Cryptech Token", not something you choose.
-
-
-/etc/opendnssec/kasp.xml:
-
- s/SoftHSM/Cryptech/
-
-/etc/opendnssec/zonelist.xml:
-
-{{{
-<Zone name="example.com">
- <Policy>lab</Policy>
- <SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
- <Adapters>
- <Input>
- <Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter>
- </Input>
- <Output>
- <Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter>
- </Output>
- </Adapters>
-</Zone>
-}}}
-
-
-== Initialization and signing ==
-
-Make the deamons reload their configuration:
-
-{{{
- service opendnssec-enforcer restart
- service opendnssec-signer restart
-}}}
-
-Initialize opendnssec:
-
-{{{
- ods-ksmutil setup
-}}}
-
-That should be it!
-
-See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd.
-See /var/lib/opendnssec/signed/ for a signed example.com zone.
-
-To list keys using ods-ksmutil, accessing the HSM using pkcs11
-directly (rather than going through any of the opendnssec daemons),
-export the environment variables from /etc/default/opendnssec and run
-"ods-ksmutil keys list --verbose":
-
-{{{
-# ods-ksmutil keys list --verbose
-SQLite database set to: /var/lib/opendnssec/kasp.db
-Keys:
-Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
-example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642
-example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620
-}}}
-
-If the output for repository is "Cryptech NOT IN repository",
-ods-ksmutil has not been able to actually list the keys in the HSM. \ No newline at end of file