| 1 | Quick getting started guide for OpenDNSSEC |
|---|
| 2 | |
|---|
| 3 | 1. Initialize the Software "Hardware Security Module" |
|---|
| 4 | |
|---|
| 5 | # mkdir /usr/local/var/softhsm |
|---|
| 6 | |
|---|
| 7 | # softhsm --init-token --slot 0 --label OpenDNSSEC |
|---|
| 8 | |
|---|
| 9 | (use '1234' for both questions below): |
|---|
| 10 | |
|---|
| 11 | The SO PIN must have a length between 4 and 255 characters. |
|---|
| 12 | Enter SO PIN: **** |
|---|
| 13 | The user PIN must have a length between 4 and 255 characters. |
|---|
| 14 | Enter user PIN: **** |
|---|
| 15 | The token has been initialized. |
|---|
| 16 | |
|---|
| 17 | # softhsm --show-slots |
|---|
| 18 | |
|---|
| 19 | Create configuration files for OpenDNSSEC by making a copy |
|---|
| 20 | of the samples distributed with the package: |
|---|
| 21 | |
|---|
| 22 | # cd /usr/local/etc/opendnssec |
|---|
| 23 | # cp kasp.xml.sample kasp.xml |
|---|
| 24 | # cp conf.xml.sample conf.xml |
|---|
| 25 | # cp zonefetch.xml.sample zonefetch.xml |
|---|
| 26 | # cp zonelist.xml.sample zonelist.xml |
|---|
| 27 | # chmod 644 *xml |
|---|
| 28 | |
|---|
| 29 | 2. Change the default Policy to use NSEC instead of NSEC3: |
|---|
| 30 | |
|---|
| 31 | Edit /usr/local/etc/opendnssec/kasp.xml |
|---|
| 32 | |
|---|
| 33 | Find this section, and remove all the lines from <NSEC3> ... </NSEC3> |
|---|
| 34 | |
|---|
| 35 | <NSEC3> |
|---|
| 36 | <!-- <OptOut/> --> |
|---|
| 37 | <Resalt>P100D</Resalt> |
|---|
| 38 | <Hash> |
|---|
| 39 | <Algorithm>1</Algorithm> |
|---|
| 40 | <Iterations>5</Iterations> |
|---|
| 41 | <Salt length="8"/> |
|---|
| 42 | </Hash> |
|---|
| 43 | </NSEC3> |
|---|
| 44 | |
|---|
| 45 | ... and replace them with this single line: |
|---|
| 46 | |
|---|
| 47 | <NSEC/> |
|---|
| 48 | |
|---|
| 49 | Save & exit. |
|---|
| 50 | |
|---|
| 51 | 3. Initialize the KSM |
|---|
| 52 | |
|---|
| 53 | # ods-ksmutil setup |
|---|
| 54 | |
|---|
| 55 | *WARNING* This will erase all data in the database; are you sure? [y/N] y |
|---|
| 56 | SQLite database set to: /usr/local/var/opendnssec/kasp.db |
|---|
| 57 | fixing permissions on file /usr/local/var/opendnssec/kasp.db |
|---|
| 58 | zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml. |
|---|
| 59 | kasp filename set to /usr/local/etc/opendnssec/kasp.xml. |
|---|
| 60 | Repository SoftHSM found |
|---|
| 61 | No Maximum Capacity set. |
|---|
| 62 | RequireBackup NOT set; please make sure that you know the potential |
|---|
| 63 | problems of using keys which are not recoverable |
|---|
| 64 | /usr/local/etc/opendnssec/conf.xml validates |
|---|
| 65 | /usr/local/etc/opendnssec/kasp.xml validates |
|---|
| 66 | Policy default found |
|---|
| 67 | Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days |
|---|
| 68 | |
|---|
| 69 | 4. Install a copy of the unsigned zone for OpenDNSSEC to sign |
|---|
| 70 | |
|---|
| 71 | Earlier, we made a backup copy of our zone, before it was signed |
|---|
| 72 | by BIND9. We are going to use that backup copy now and make it |
|---|
| 73 | available to OpenDNSSEC. |
|---|
| 74 | |
|---|
| 75 | # cd /etc/namedb/master |
|---|
| 76 | # cp MYTLD.unsigned /usr/local/var/opendnssec/unsigned/MYTLD |
|---|
| 77 | |
|---|
| 78 | 5. Add the zone to OpenDNSSEC's database: |
|---|
| 79 | |
|---|
| 80 | # ods-ksmutil zone add --zone mytld |
|---|
| 81 | |
|---|
| 82 | zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml. |
|---|
| 83 | SQLite database set to: /usr/local/var/opendnssec/kasp.db |
|---|
| 84 | Imported zone: mytld |
|---|
| 85 | |
|---|
| 86 | 6. OpenDNSSEC reload BIND |
|---|
| 87 | |
|---|
| 88 | Modify /usr/local/etc/opendnssec/conf.xml |
|---|
| 89 | |
|---|
| 90 | Find the lines: |
|---|
| 91 | |
|---|
| 92 | <!-- |
|---|
| 93 | <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand> |
|---|
| 94 | --> |
|---|
| 95 | |
|---|
| 96 | ... remove the comments (the lines '<!--' and '-->') |
|---|
| 97 | |
|---|
| 98 | 7. Start OpenDNSSEC! |
|---|
| 99 | |
|---|
| 100 | # ods-control start |
|---|
| 101 | |
|---|
| 102 | Starting enforcer... |
|---|
| 103 | OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495 |
|---|
| 104 | Starting signer engine... |
|---|
| 105 | Starting signer... |
|---|
| 106 | OpenDNSSEC signer engine version 1.2.0 |
|---|
| 107 | Engine running. |
|---|
| 108 | |
|---|
| 109 | # ps ax | grep ods |
|---|
| 110 | |
|---|
| 111 | 41588 ?? SsJ 0:00.11 /usr/local/sbin/ods-enforcerd |
|---|
| 112 | 41593 ?? SsJ 0:00.07 /usr/local/sbin/ods-signerd -vvv |
|---|
| 113 | |
|---|
| 114 | 8. Check that the zone is signed |
|---|
| 115 | |
|---|
| 116 | # ls -l /usr/local/var/opendnssec/signed |
|---|
| 117 | |
|---|
| 118 | -rw-r--r-- 1 root wheel 3944 Feb 19 09:10 mytld |
|---|
| 119 | |
|---|
| 120 | If for some reason, you don't see a file in this |
|---|
| 121 | directory (/usr/local/var/opendnssec/signed/), then |
|---|
| 122 | force the signer to sign: |
|---|
| 123 | |
|---|
| 124 | # ods-signer sign mytld |
|---|
| 125 | |
|---|
| 126 | 9. Tell BIND to load the new zone |
|---|
| 127 | |
|---|
| 128 | Modify /etc/namedb/named.conf, and change the zone definition for "mytld" |
|---|
| 129 | so it looks like this (REMOVE auto-dnssec, etc...) |
|---|
| 130 | |
|---|
| 131 | zone "mytld" { |
|---|
| 132 | file "/usr/local/var/opendnssec/signed/mytld"; |
|---|
| 133 | type master; |
|---|
| 134 | allow-transfer { any; }; |
|---|
| 135 | }; |
|---|
| 136 | |
|---|
| 137 | Restart named: |
|---|
| 138 | |
|---|
| 139 | # /etc/rc.d/named restart |
|---|
| 140 | |
|---|
| 141 | 10. Export the DS, ready to upload: |
|---|
| 142 | |
|---|
| 143 | # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld. |
|---|
| 144 | |
|---|
| 145 | 11. Upload the DS to the server |
|---|
| 146 | |
|---|
| 147 | # scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org: |
|---|
| 148 | |
|---|
| 149 | 12. Notify the administrator! |
|---|
| 150 | |
|---|
| 151 | |
|---|
