Quick getting started guide for OpenDNSSEC 1. Initialize the Software "Hardware Security Module" # mkdir /usr/local/var/softhsm # softhsm --init-token --slot 0 --label OpenDNSSEC (use '1234' as the pin for the user + admin): The SO PIN must have a length between 4 and 255 characters. Enter SO PIN: **** The user PIN must have a length between 4 and 255 characters. Enter user PIN: **** The token has been initialized. # softhsm --show-slots 2. Change the default Policy to use NSEC instead of NSEC3: Edit /usr/local/etc/opendnssec/kasp.xml Find this section, and remove all the lines from ... P100D 1 5 ... and replace them with this single line: Save & exit. 3. Initialize the KSM # ods-ksmutil setup *WARNING* This will erase all data in the database; are you sure? [y/N] y SQLite database set to: /usr/local/var/opendnssec/kasp.db fixing permissions on file /usr/local/var/opendnssec/kasp.db zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml. kasp filename set to /usr/local/etc/opendnssec/kasp.xml. Repository SoftHSM found No Maximum Capacity set. RequireBackup NOT set; please make sure that you know the potential problems of using keys which are not recoverable /usr/local/etc/opendnssec/conf.xml validates /usr/local/etc/opendnssec/kasp.xml validates Policy default found Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days 4. Make a copy of your zone NOTE! We are going to preserve the original version of our zone, currently managed by BIND (using "auto-dnssec"), and make a copy to use it with OpenDNSSEC. To start with, let's allow zone-transfer of our zone to "localhost" (our own machine): Edit /etc/namedb/named.conf, and in the zone statement, change: zone "mytld" { ... allow-transfer { 127.0.0.1; key ... }; // <-- we added "127.0.0.1!" ... }; Reload BIND # rndc reconfig Since the zone was signed by BIND, and we didn't do it manually (we used "rndc sign" and not "dnssec-signzone"), the zone file was modified by BIND, and RRSIGs, NSEC, etc... records were added directly into the file. As a result, we will need to make a "clean" version of the zone to present it to OpenDNSSEC. The way to do this is as follows: # cd /usr/local/var/opendnssec/unsigned/ # dig @127.0.0.1 +nodnssec axfr mytld | egrep -v '(RRSIG|NSEC|NSEC3|DNSKEY|RRSIG|TYPE6|^;|^$)' | sed -e '$d' >mytld The above command takes a copy of your zone, and removes all the DNSSEC information added by BIND. We are now starting from a "fresh" zone! 5. Add the zone to OpenDNSSEC's database: # ods-ksmutil zone add --zone mytld zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml. SQLite database set to: /usr/local/var/opendnssec/kasp.db Imported zone: mytld 6. OpenDNSSEC reload BIND Modify /usr/local/etc/opendnssec/conf.xml Find the lines: ... remove the comments (the lines '') 7. Start OpenDNSSEC! # ods-control start Starting enforcer... OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495 Starting signer engine... Starting signer... OpenDNSSEC signer engine version 1.2.0 Engine running. # ps ax | grep ods 41588 ?? SsJ 0:00.11 /usr/local/sbin/ods-enforcerd 41593 ?? SsJ 0:00.07 /usr/local/sbin/ods-signerd -vvv 8. Check that the zone is signed # ls -l /usr/local/var/opendnssec/signed -rw-r--r-- 1 root wheel 3944 Feb 19 09:10 mytld If for some reason, you don't see a file in this directory (/usr/local/var/opendnssec/signed/), then force the signer to sign: # ods-signer sign mytld 9. Tell BIND to load the new zone Modify /etc/namedb/named.conf, and change the zone definition for "mytld" so it looks like: zone "mytld" { file "/usr/local/var/opendnssec/signed/mytld"; type master; allow-transfer { 127.0.0.1; ::1; key mydomain-key; }; }; Restart named: # /etc/rc.d/named restart 10. Export the DS, ready to upload: # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld. 11. Upload the DS to the server # scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org: 12. Notify the administrator!