Quick getting started guide for OpenDNSSEC

1. Initialize the Software "Hardware Security Module"

    # mkdir /usr/local/var/softhsm

    # softhsm --init-token --slot 0 --label OpenDNSSEC

    (use '1234' as the pin for the user + admin):

    The SO PIN must have a length between 4 and 255 characters.
    Enter SO PIN: ****
    The user PIN must have a length between 4 and 255 characters.
    Enter user PIN: ****
    The token has been initialized.

2. Change the default Policy to use NSEC instead of NSEC3:

    Edit /usr/local/etc/opendnssec/kasp.xml

    Find this section, and remove all the lines from <NSEC3> ... </NSEC3>

    <NSEC3>
        <!-- <OptOut/> -->
        <Resalt>P100D</Resalt>
        <Hash>
            <Algorithm>1</Algorithm>
            <Iterations>5</Iterations>
            <Salt length="8"/>
        </Hash>
    </NSEC3>

    ... and replace them with this single line:

    <NSEC/>

    Save & exit.

3. Initialize the KSM

    # ods-ksmutil setup

    *WARNING* This will erase all data in the database; are you sure? [y/N] y
    SQLite database set to: /usr/local/var/opendnssec/kasp.db
    fixing permissions on file /usr/local/var/opendnssec/kasp.db
    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
    kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
    Repository SoftHSM found
    No Maximum Capacity set.
    RequireBackup NOT set; please make sure that you know the potential
        problems of using keys which are not recoverable
    /usr/local/etc/opendnssec/conf.xml validates
    /usr/local/etc/opendnssec/kasp.xml validates
    Policy default found
    Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days

4. Make a copy of your zone

	Edit /etc/namedb/named.conf, and in the zone statement, change:

	zone "mytld" {
		...
		allow-transfer { 127.0.0.1; key ... };   // <-- we added "127.0.0.1!"
		...
	};

	Reload BIND

	# rndc reconfig

    # cd /usr/local/var/opendnssec/unsigned/

    # dig @127.0.0.1 +nodnssec axfr mytld | egrep -v '(RRSIG|NSEC|NSEC3|DNSKEY|RRSIG|TYPE64|^;|^$)' | sed -e '$d'  >mytld

    The above command takes a copy of your zone, and removes all the DNSSEC
    information added by BIND.  We are starting from a "fresh" zone!

5. Add the zone to OpenDNSSEC's databse:

    # ods-ksmutil zone add --zone mytld

    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
    SQLite database set to: /usr/local/var/opendnssec/kasp.db
    Imported zone: mytld

6. OpenDNSSEC reload BIND

    Modify /usr/local/etc/opendnssec/conf.xml

    Find the lines:

<!--
                <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
-->

    ... remove the comments (the lines '<!--' and '-->')

7. Start OpenDNSSEC!

    # ods-control start

    Starting enforcer...
    OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495
    Starting signer engine...
    Starting signer...
    OpenDNSSEC signer engine version 1.2.0
    Engine running.

    # ps ax | grep ods

    41588  ??  SsJ    0:00.11 /usr/local/sbin/ods-enforcerd
    41593  ??  SsJ    0:00.07 /usr/local/sbin/ods-signerd -vvv

8. Sign the zone...

    # ods-signer sign mytld

    # ls -l /usr/local/var/opendnssec/signed

    -rw-r--r--  1 root  wheel  3944 Feb 19 09:10 mytld


9. Tell BIND to load the new zone

    Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
    so it looks like:

zone "mytld" {
        file "/usr/local/var/opendnssec/signed/mytld";
        type master;
        allow-transfer { 127.0.0.1; ::1; key mydomain-key; };
};

    Restart named:

    # /etc/rc.d/named restart

10. Export the DS, ready to upload:

    # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.

11. Upload the DS to the server

    # scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org:

12. Notify the administrator!
