Agenda: opendnssec-howoto.txt

File opendnssec-howoto.txt, 3.8 KB (added by regnauld, 8 years ago)
Line 
1Quick getting started guide for OpenDNSSEC
2
31. Initialize the Software "Hardware Security Module"
4
5    # mkdir /usr/local/var/softhsm
6
7    # softhsm --init-token --slot 0 --label OpenDNSSEC
8
9    (use '1234' as the pin for the user + admin):
10
11    The SO PIN must have a length between 4 and 255 characters.
12    Enter SO PIN: ****
13    The user PIN must have a length between 4 and 255 characters.
14    Enter user PIN: ****
15    The token has been initialized.
16
172. Change the default Policy to use NSEC instead of NSEC3:
18
19    Edit /usr/local/etc/opendnssec/kasp.xml
20
21    Find this section, and remove all the lines from <NSEC3> ... </NSEC3>
22
23    <NSEC3>
24        <!-- <OptOut/> -->
25        <Resalt>P100D</Resalt>
26        <Hash>
27            <Algorithm>1</Algorithm>
28            <Iterations>5</Iterations>
29            <Salt length="8"/>
30        </Hash>
31    </NSEC3>
32
33    ... and replace them with this single line:
34
35    <NSEC/>
36
37    Save & exit.
38
393. Initialize the KSM
40
41    # ods-ksmutil setup
42
43    *WARNING* This will erase all data in the database; are you sure? [y/N] y
44    SQLite database set to: /usr/local/var/opendnssec/kasp.db
45    fixing permissions on file /usr/local/var/opendnssec/kasp.db
46    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
47    kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
48    Repository SoftHSM found
49    No Maximum Capacity set.
50    RequireBackup NOT set; please make sure that you know the potential
51        problems of using keys which are not recoverable
52    /usr/local/etc/opendnssec/conf.xml validates
53    /usr/local/etc/opendnssec/kasp.xml validates
54    Policy default found
55    Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
56
574. Make a copy of your zone
58
59        Edit /etc/namedb/named.conf, and in the zone statement, change:
60
61        zone "mytld" {
62                ...
63                allow-transfer { 127.0.0.1; key ... };   // <-- we added "127.0.0.1!"
64                ...
65        };
66
67        Reload BIND
68
69        # rndc reconfig
70
71    # cd /usr/local/var/opendnssec/unsigned/
72
73    # dig @127.0.0.1 +nodnssec axfr mytld | egrep -v '(RRSIG|NSEC|NSEC3|DNSKEY|RRSIG|TYPE64|^;|^$)' | sed -e '$d'  >mytld
74
75    The above command takes a copy of your zone, and removes all the DNSSEC
76    information added by BIND.  We are starting from a "fresh" zone!
77
785. Add the zone to OpenDNSSEC's databse:
79
80    # ods-ksmutil zone add --zone mytld
81
82    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
83    SQLite database set to: /usr/local/var/opendnssec/kasp.db
84    Imported zone: mytld
85
866. OpenDNSSEC reload BIND
87
88    Modify /usr/local/etc/opendnssec/conf.xml
89
90    Find the lines:
91
92<!--
93                <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
94-->
95
96    ... remove the comments (the lines '<!--' and '-->')
97
987. Start OpenDNSSEC!
99
100    # ods-control start
101
102    Starting enforcer...
103    OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495
104    Starting signer engine...
105    Starting signer...
106    OpenDNSSEC signer engine version 1.2.0
107    Engine running.
108
109    # ps ax | grep ods
110
111    41588  ??  SsJ    0:00.11 /usr/local/sbin/ods-enforcerd
112    41593  ??  SsJ    0:00.07 /usr/local/sbin/ods-signerd -vvv
113
1148. Sign the zone...
115
116    # ods-signer sign mytld
117
118    # ls -l /usr/local/var/opendnssec/signed
119
120    -rw-r--r--  1 root  wheel  3944 Feb 19 09:10 mytld
121
122
1239. Tell BIND to load the new zone
124
125    Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
126    so it looks like:
127
128zone "mytld" {
129        file "/usr/local/var/opendnssec/signed/mytld";
130        type master;
131        allow-transfer { 127.0.0.1; ::1; key mydomain-key; };
132};
133
134    Restart named:
135
136    # /etc/rc.d/named restart
137
13810. Export the DS, ready to upload:
139
140    # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.
141
14211. Upload the DS to the server
143
144    # scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org:
145
14612. Notify the administrator!