Agenda: opendnssec-lab1.txt

File opendnssec-lab1.txt, 7.2 KB (added by admin, 6 years ago)
Line 
1Zone signing with OpenDNSSEC - part 1
2
31. Initialize the Software "Hardware Security Module"
4
5    Start by becoming root for this session (or use sudo when required)
6
7    $ sudo -s
8    #
9
10    # mkdir -p /usr/local/var/lib/softhsm
11
12    # softhsm --init-token --slot 0 --label OpenDNSSEC
13
14    (use '1234' for both questions below):
15
16    The SO PIN must have a length between 4 and 255 characters.
17    Enter SO PIN: ****
18    The user PIN must have a length between 4 and 255 characters.
19    Enter user PIN: ****
20    The token has been initialized.
21
22    # softhsm --show-slots
23
24    Create configuration files for OpenDNSSEC by making a copy
25    of the samples distributed with the package:
26
27      # cd /usr/local/etc/opendnssec
28      # cp kasp.xml.sample kasp.xml
29      # cp conf.xml.sample conf.xml
30      # cp zonefetch.xml.sample zonefetch.xml
31      # cp zonelist.xml.sample zonelist.xml
32      # chmod 644 *xml
33
342. Change the default Policy to use NSEC instead of NSEC3:
35
36    Edit /usr/local/etc/opendnssec/kasp.xml
37
38    Find this section, and remove all the lines from <NSEC3> ... </NSEC3>
39
40    <NSEC3>
41        <!-- <OptOut/> -->
42        <Resalt>P100D</Resalt>
43        <Hash>
44            <Algorithm>1</Algorithm>
45            <Iterations>5</Iterations>
46            <Salt length="8"/>
47        </Hash>
48    </NSEC3>
49
50    ... and replace them with this single line:
51
52    <NSEC/>
53
54    Save & exit.
55
56    Also, set the correct path for the libsofthsm.so in the conf.xml:
57
58    Change
59
60<Module>/usr/local/lib/libsofthsm.so</Module>
61
62to
63
64<Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
65
66    Then save & exit the file.
67
683. Initialize the KSM
69
70    # ods-ksmutil setup
71
72    *WARNING* This will erase all data in the database; are you sure? [y/N] y
73    SQLite database set to: /usr/local/var/opendnssec/kasp.db
74    fixing permissions on file /usr/local/var/opendnssec/kasp.db
75    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
76    kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
77    Repository SoftHSM found
78    No Maximum Capacity set.
79    RequireBackup NOT set; please make sure that you know the potential
80        problems of using keys which are not recoverable
81    /usr/local/etc/opendnssec/conf.xml validates
82    /usr/local/etc/opendnssec/kasp.xml validates
83    Policy default found
84    Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
85
864. Install a copy of the unsigned zone for OpenDNSSEC to sign
87
88    Earlier, we made a backup copy of our zone, before it was signed
89    by BIND9. We are going to use that backup copy now and make it
90    available to OpenDNSSEC.
91
92          # cd /etc/namedb/master
93          # cp mytld.backup /usr/local/var/opendnssec/unsigned/mytld
94
955. Add the zone to OpenDNSSEC's database:
96
97    # ods-ksmutil zone add --zone mytld
98
99    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
100    Imported zone: mytld
101
1026. Start OpenDNSSEC!
103
104    # ods-control start
105
106    Starting enforcer...
107    OpenDNSSEC ods-enforcerd started (version 1.3.10), pid 63495
108    Starting signer engine...
109    Starting signer...
110    OpenDNSSEC signer engine version 1.3.10
111    Engine running.
112
113    # ps ax | grep ods
114
115    41588  ??  SsJ    0:00.11 /usr/local/sbin/ods-enforcerd
116    41593  ??  SsJ    0:00.07 /usr/local/sbin/ods-signerd
117
1187. Check that the zone is signed
119
120    # ls -l /usr/local/var/opendnssec/signed
121
122    -rw-r--r--  1 root  wheel  2621 Feb 19 09:10 mytld
123
124    Take a look at the contents of the zone - note the key ids for
125    the KSK and ZSK.
126
127    If for some reason, you don't see a file in this directory
128    (/usr/local/var/opendnssec/signed/), then force the signer to sign:
129
130    # ods-signer sign mytld
131
1328. Moment of reflection
133
134    Ok, so now the zone is signed with OpenDNSSEC - do notice that the
135    zone was signed, but you didn't issue any commands to generate keys.
136
137    List the keys currently managed by OpenDNSSEC:
138
139    # ods-ksmutil key list
140Keys:
141Zone:                       Keytype:      State:    Date of next transition:
142mytld                        KSK           publish   2012-09-14 09:15:09       
143mytld                        ZSK           active    2012-10-13 19:15:09     
144
145    Notice that two keys have just been created by OpenDNSSEC, on the fly.
146
147    But BIND is still loading the zone that was signed earlier (either
148    manually or using the inline signer) - can we just modify the named.conf
149    definition and point to the signed zone instead ?
150
151    Which KSK is currently being used ? And which DS record is published
152    in the parent zone ?
153
154    Would the resolvers be able to verify the signatures on the zone
155    signed with OpenDNSSEC ?  Why not ? What would you have to do for
156    it to work (there are several possible answers)
157
158    If you don't care about the validation problem, then you can proceed
159    with the rest of this lab.
160
161
1629. Tell BIND to load the new zone
163
164    Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
165    so it looks like this (REMOVE auto-dnssec, etc...)
166
167zone "mytld" {
168    file "/usr/local/var/opendnssec/signed/mytld";  // <--- Change path
169    type master;
170    key-directory "/etc/namedb/keys";   // <--- Remove if there
171    auto-dnssec maintain;               // <--- Remove if there
172    inline-signing yes;                 // <--- Remove if there
173};
174
175    Now, BIND is back to being a "passive" nameserver that doesn't sign
176    the zone - it just serves the zone signed by OpenDNSSEC.
177
178    Restart named:
179
180    # service named restart
181
182    Check the logs in /etc/namedb/log/general to make sure that the zone
183    is loading correctly.
184
185    Now, validation will probably fail for those trying to look up data
186    in your zone. Wait a few minutes, and try to lookup a record in your
187    zone:
188
189    # dig www.mytld +dnssec
190
191    What do you notice ?
192
193
19410. OpenDNSSEC reload BIND
195
196    Even better, you can have OpenDNSSEC tell BIND to reload the zone when
197    it has been signed - like this, no need to manually reload.
198
199    To do this, modify /usr/local/etc/opendnssec/conf.xml
200
201    Find the lines:
202
203<!--
204                <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
205-->
206
207    ... remove the comments (the lines '<!--' and '-->') before and after.
208
209    Save the file, and restart OpenDNSSEC:
210
211    # ods-control stop
212    ...
213    # ods-control start
214
215
21611. Export the DS, ready to upload:
217
218    Verify the state of the KSK at this stage:
219
220    # ods-ksmutil key list
221
222    Note the state that the KSK is in.
223
224    If it is still in publish state (see
225    https://wiki.opendnssec.org/display/DOCS/Key+States#KeyStates-Publish for
226    reference), then the key is, from OpenDNSSEC's point of view, not ready to
227    be used, as it hasn't had time to propagate.
228   
229    You can still export the DS record, derived from the KSK:
230
231    # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.
232
23312. Upload the DS to the server
234
235    # scp /tmp/dsset-mytld. adm@a.root-servers.net:
236
23713. Notify the administrator!
238
239    Ask the root operator to add the new DS to the root zone, and see
240    how long it takes before validation starts working again for your zone.
241   
242    ... or use the RZM web interface https://rzm.dnssek.org/
243
24414. What's with the keystate ?
245
246    Why is the key in Publish state ? Why is OpenDNSSEC reluctant to let us
247    use the key right away ?
248