Agenda: opendnssec-howoto.txt

File opendnssec-howoto.txt, 3.8 KB (added by regnauld, 8 years ago)

Line
1	Quick getting started guide for OpenDNSSEC
2
3	1. Initialize the Software "Hardware Security Module"
4
5	# mkdir /usr/local/var/softhsm
6
7	# softhsm --init-token --slot 0 --label OpenDNSSEC
8
9	(use '1234' as the pin for the user + admin):
10
11	The SO PIN must have a length between 4 and 255 characters.
12	Enter SO PIN: ****
13	The user PIN must have a length between 4 and 255 characters.
14	Enter user PIN: ****
15	The token has been initialized.
16
17	2. Change the default Policy to use NSEC instead of NSEC3:
18
19	Edit /usr/local/etc/opendnssec/kasp.xml
20
21	Find this section, and remove all the lines from <NSEC3> ... </NSEC3>
22
23	<NSEC3>
24	<!-- <OptOut/> -->
25	<Resalt>P100D</Resalt>
26	<Hash>
27	<Algorithm>1</Algorithm>
28	<Iterations>5</Iterations>
29	<Salt length="8"/>
30	</Hash>
31	</NSEC3>
32
33	... and replace them with this single line:
34
35	<NSEC/>
36
37	Save & exit.
38
39	3. Initialize the KSM
40
41	# ods-ksmutil setup
42
43	WARNING This will erase all data in the database; are you sure? [y/N] y
44	SQLite database set to: /usr/local/var/opendnssec/kasp.db
45	fixing permissions on file /usr/local/var/opendnssec/kasp.db
46	zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
47	kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
48	Repository SoftHSM found
49	No Maximum Capacity set.
50	RequireBackup NOT set; please make sure that you know the potential
51	problems of using keys which are not recoverable
52	/usr/local/etc/opendnssec/conf.xml validates
53	/usr/local/etc/opendnssec/kasp.xml validates
54	Policy default found
55	Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
56
57	4. Make a copy of your zone
58
59	Edit /etc/namedb/named.conf, and in the zone statement, change:
60
61	zone "mytld" {
62	...
63	allow-transfer { 127.0.0.1; key ... }; // <-- we added "127.0.0.1!"
64	...
65	};
66
67	Reload BIND
68
69	# rndc reconfig
70
71	# cd /usr/local/var/opendnssec/unsigned/
72
73	# dig @127.0.0.1 +nodnssec axfr mytld \| egrep -v '(RRSIG\|NSEC\|NSEC3\|DNSKEY\|RRSIG\|TYPE64\|^;\|^$)' \| sed -e '$d' >mytld
74
75	The above command takes a copy of your zone, and removes all the DNSSEC
76	information added by BIND. We are starting from a "fresh" zone!
77
78	5. Add the zone to OpenDNSSEC's databse:
79
80	# ods-ksmutil zone add --zone mytld
81
82	zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
83	SQLite database set to: /usr/local/var/opendnssec/kasp.db
84	Imported zone: mytld
85
86	6. OpenDNSSEC reload BIND
87
88	Modify /usr/local/etc/opendnssec/conf.xml
89
90	Find the lines:
91
92	<!--
93	<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
94	-->
95
96	... remove the comments (the lines '<!--' and '-->')
97
98	7. Start OpenDNSSEC!
99
100	# ods-control start
101
102	Starting enforcer...
103	OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495
104	Starting signer engine...
105	Starting signer...
106	OpenDNSSEC signer engine version 1.2.0
107	Engine running.
108
109	# ps ax \| grep ods
110
111	41588 ?? SsJ 0:00.11 /usr/local/sbin/ods-enforcerd
112	41593 ?? SsJ 0:00.07 /usr/local/sbin/ods-signerd -vvv
113
114	8. Sign the zone...
115
116	# ods-signer sign mytld
117
118	# ls -l /usr/local/var/opendnssec/signed
119
120	-rw-r--r-- 1 root wheel 3944 Feb 19 09:10 mytld
121
122
123	9. Tell BIND to load the new zone
124
125	Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
126	so it looks like:
127
128	zone "mytld" {
129	file "/usr/local/var/opendnssec/signed/mytld";
130	type master;
131	allow-transfer { 127.0.0.1; ::1; key mydomain-key; };
132	};
133
134	Restart named:
135
136	# /etc/rc.d/named restart
137
138	10. Export the DS, ready to upload:
139
140	# ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.
141
142	11. Upload the DS to the server
143
144	# scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org:
145
146	12. Notify the administrator!