Agenda: opendnssec-howoto.txt

File opendnssec-howoto.txt, 4.6 KB (added by regnauld, 8 years ago)
Line 
1Quick getting started guide for OpenDNSSEC
2
31. Initialize the Software "Hardware Security Module"
4
5    # mkdir /usr/local/var/softhsm
6
7    # softhsm --init-token --slot 0 --label OpenDNSSEC
8
9    (use '1234' as the pin for the user + admin):
10
11    The SO PIN must have a length between 4 and 255 characters.
12    Enter SO PIN: ****
13    The user PIN must have a length between 4 and 255 characters.
14    Enter user PIN: ****
15    The token has been initialized.
16
17        # softhsm --show-slots
18
192. Change the default Policy to use NSEC instead of NSEC3:
20
21    Edit /usr/local/etc/opendnssec/kasp.xml
22
23    Find this section, and remove all the lines from <NSEC3> ... </NSEC3>
24
25    <NSEC3>
26        <!-- <OptOut/> -->
27        <Resalt>P100D</Resalt>
28        <Hash>
29            <Algorithm>1</Algorithm>
30            <Iterations>5</Iterations>
31            <Salt length="8"/>
32        </Hash>
33    </NSEC3>
34
35    ... and replace them with this single line:
36
37    <NSEC/>
38
39    Save & exit.
40
413. Initialize the KSM
42
43    # ods-ksmutil setup
44
45    *WARNING* This will erase all data in the database; are you sure? [y/N] y
46    SQLite database set to: /usr/local/var/opendnssec/kasp.db
47    fixing permissions on file /usr/local/var/opendnssec/kasp.db
48    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
49    kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
50    Repository SoftHSM found
51    No Maximum Capacity set.
52    RequireBackup NOT set; please make sure that you know the potential
53        problems of using keys which are not recoverable
54    /usr/local/etc/opendnssec/conf.xml validates
55    /usr/local/etc/opendnssec/kasp.xml validates
56    Policy default found
57    Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
58
594. Make a copy of your zone
60
61        NOTE!
62       
63        We are going to preserve the original version of our zone, currently
64        managed by BIND (using "auto-dnssec"), and make a copy to use it
65        with OpenDNSSEC.
66
67        To start with, let's allow zone-transfer of our zone to "localhost"
68        (our own machine):
69
70        Edit /etc/namedb/named.conf, and in the zone statement, change:
71
72zone "mytld" {
73        ...
74        allow-transfer { 127.0.0.1; key ... };   // <-- we added "127.0.0.1!"
75        ...
76};
77
78        Reload BIND
79
80        # rndc reconfig
81
82
83        Since the zone was signed by BIND, and we didn't do it manually (we
84        used "rndc sign" and not "dnssec-signzone"), the zone file was modified
85        by BIND, and RRSIGs, NSEC, etc... records were added directly into the
86        file.  As a result, we will need to make a "clean" version of the zone
87        to present it to OpenDNSSEC.  The way to do this is as follows:
88
89    # cd /usr/local/var/opendnssec/unsigned/
90    # dig @127.0.0.1 +nodnssec axfr mytld | egrep -v '(RRSIG|NSEC|NSEC3|DNSKEY|RRSIG|TYPE6|^;|^$)' | sed -e '$d'  >mytld
91
92    The above command takes a copy of your zone, and removes all the DNSSEC
93    information added by BIND.  We are now starting from a "fresh" zone!
94
955. Add the zone to OpenDNSSEC's database:
96
97    # ods-ksmutil zone add --zone mytld
98
99    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
100    SQLite database set to: /usr/local/var/opendnssec/kasp.db
101    Imported zone: mytld
102
1036. OpenDNSSEC reload BIND
104
105    Modify /usr/local/etc/opendnssec/conf.xml
106
107    Find the lines:
108
109<!--
110                <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
111-->
112
113    ... remove the comments (the lines '<!--' and '-->')
114
1157. Start OpenDNSSEC!
116
117    # ods-control start
118
119    Starting enforcer...
120    OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495
121    Starting signer engine...
122    Starting signer...
123    OpenDNSSEC signer engine version 1.2.0
124    Engine running.
125
126    # ps ax | grep ods
127
128    41588  ??  SsJ    0:00.11 /usr/local/sbin/ods-enforcerd
129    41593  ??  SsJ    0:00.07 /usr/local/sbin/ods-signerd -vvv
130
1318. Check that the zone is signed
132
133
134    # ls -l /usr/local/var/opendnssec/signed
135
136    -rw-r--r--  1 root  wheel  3944 Feb 19 09:10 mytld
137
138    If for some reason, you don't see a file in this
139    directory (/usr/local/var/opendnssec/signed/), then
140    force the signer to sign:
141
142    # ods-signer sign mytld
143
1449. Tell BIND to load the new zone
145
146    Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
147    so it looks like:
148
149zone "mytld" {
150        file "/usr/local/var/opendnssec/signed/mytld";
151        type master;
152        allow-transfer { 127.0.0.1; ::1; key mydomain-key; };
153};
154
155    Restart named:
156
157    # /etc/rc.d/named restart
158
15910. Export the DS, ready to upload:
160
161    # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.
162
16311. Upload the DS to the server
164
165    # scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org:
166
16712. Notify the administrator!
168
169