Quick getting started guide for OpenDNSSEC
1. Initialize the Software "Hardware Security Module"
# mkdir /usr/local/var/softhsm
# softhsm --init-token --slot 0 --label OpenDNSSEC
(use '1234' for both questions below):
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN: ****
The user PIN must have a length between 4 and 255 characters.
Enter user PIN: ****
The token has been initialized.
# softhsm --show-slots
Create configuration files for OpenDNSSEC by making a copy
of the samples distributed with the package:
# cd /usr/local/etc/opendnssec
# cp kasp.xml.sample kasp.xml
# cp conf.xml.sample conf.xml
# cp zonefetch.xml.sample zonefetch.xml
# cp zonelist.xml.sample zonelist.xml
# chmod 644 *xml
2. Change the default Policy to use NSEC instead of NSEC3:
Edit /usr/local/etc/opendnssec/kasp.xml
Find this section, and remove all the lines from ...
P100D
1
5
... and replace them with this single line:
Save & exit.
3. Initialize the KSM
# ods-ksmutil setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
SQLite database set to: /usr/local/var/opendnssec/kasp.db
fixing permissions on file /usr/local/var/opendnssec/kasp.db
zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
Repository SoftHSM found
No Maximum Capacity set.
RequireBackup NOT set; please make sure that you know the potential
problems of using keys which are not recoverable
/usr/local/etc/opendnssec/conf.xml validates
/usr/local/etc/opendnssec/kasp.xml validates
Policy default found
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
4. Install a copy of the unsigned zone for OpenDNSSEC to sign
Earlier, we made a backup copy of our zone, before it was signed
by BIND9. We are going to use that backup copy now and make it
available to OpenDNSSEC.
# cd /etc/namedb/master
# cp MYTLD.unsigned /usr/local/var/opendnssec/unsigned/MYTLD
5. Add the zone to OpenDNSSEC's database:
# ods-ksmutil zone add --zone mytld
zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
SQLite database set to: /usr/local/var/opendnssec/kasp.db
Imported zone: mytld
6. OpenDNSSEC reload BIND
Modify /usr/local/etc/opendnssec/conf.xml
Find the lines:
... remove the comments (the lines '')
7. Start OpenDNSSEC!
# ods-control start
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495
Starting signer engine...
Starting signer...
OpenDNSSEC signer engine version 1.2.0
Engine running.
# ps ax | grep ods
41588 ?? SsJ 0:00.11 /usr/local/sbin/ods-enforcerd
41593 ?? SsJ 0:00.07 /usr/local/sbin/ods-signerd -vvv
8. Check that the zone is signed
# ls -l /usr/local/var/opendnssec/signed
-rw-r--r-- 1 root wheel 3944 Feb 19 09:10 mytld
If for some reason, you don't see a file in this
directory (/usr/local/var/opendnssec/signed/), then
force the signer to sign:
# ods-signer sign mytld
9. Tell BIND to load the new zone
Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
so it looks like this (REMOVE auto-dnssec, etc...)
zone "mytld" {
file "/usr/local/var/opendnssec/signed/mytld";
type master;
allow-transfer { any; };
};
Restart named:
# /etc/rc.d/named restart
10. Export the DS, ready to upload:
# ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.
11. Upload the DS to the server
# scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org:
12. Notify the administrator!