Title: DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03 Author: Rob Austein Date: 2016-12-15 22:43 Modified: 2017-05-13 21:34 Category: DNSSEC ## Before you start, you'll need - A Cryptech Alpha board, preferrably revision "rev03" - APT on the host system configured to find packages in the Cryptech repository, see [BinaryPackages]({filename}BinaryPackages.md) for instructions ``` apt-get install cryptech-alpha opendnssec opensc ``` Once you have the software package installed, you may need to [upgrade your HSM's firmware]({filename}Upgrading.md). ## Configure the HSM For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing. ``` # eval $(cryptech_probe) # cryptech_muxd & # cryptech_console Username: wheel Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding cryptech> keystore set pin wheel supersikritnewpw cryptech> keystore set pin so 123456 cryptech> keystore set pin user 1234 cryptech> masterkey set EFBEADDE ^C ``` Leave `cryptech_muxd` running, so that the PKCS #11 library can use it to talk to the HSM. ## Configure OpenDNSSEC ``` mkdir /var/lib/opendnssec/cryptech cat > /var/lib/opendnssec/unsigned/example.com << EOF \$TTL 600 example.com. IN SOA hidden-master.example.com. hostmaster.example.com. ( 2016041401 ; serial 720 ; 28800 ; refresh (8 hours) 720 ; 7200 ; retry (2 hours) 300 ; 604800 ; expire (1 week) 120 ; 3600 ; minimum (1 hour) ) NS lab.cryptech.is. test A 127.0.0.1 EOF chown -R opendnssec: /var/lib/opendnssec/* ``` ## OpenDNSSEC configuration changes /etc/opendnssec/conf.xml: ``` /usr/lib/libcryptech-pkcs11.so Cryptech Token 1234 ``` The PIN is whatever was chosen as PIN for 'user' above. The TokenLabel has to be "Cryptech Token", not something you choose. /etc/opendnssec/kasp.xml: s/SoftHSM/Cryptech/ /etc/opendnssec/zonelist.xml: ``` lab /var/lib/opendnssec/signconf/example.com.xml /var/lib/opendnssec/unsigned/example.com /var/lib/opendnssec/signed/example.com ``` ## Initialization and signing Make the deamons reload their configuration: ``` service opendnssec-enforcer restart service opendnssec-signer restart ``` Initialize opendnssec: ``` ods-ksmutil setup ``` That should be it! See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. See /var/lib/opendnssec/signed/ for a signed example.com zone. To list keys using ods-ksmutil, accessing the HSM using pkcs11 directly (rather than going through any of the opendnssec daemons), export the environment variables from /etc/default/opendnssec and run "ods-ksmutil keys list --verbose": ``` # ods-ksmutil keys list --verbose SQLite database set to: /var/lib/opendnssec/kasp.db Keys: Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642 example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620 ``` If the output for repository is "Cryptech NOT IN repository", ods-ksmutil has not been able to actually list the keys in the HSM.