DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03

Before you start, you'll need

  • A Cryptech Alpha board, preferrably revision "rev03"
  • APT on the host system configured to find packages in the Cryptech repository, see BinaryPackages for instructions
apt-get install cryptech-alpha opendnssec opensc

Once you have the software package installed, you may need to upgrade your HSM's firmware.

Configure the HSM

For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.

# eval $(cryptech_probe)
# cryptech_muxd &
# cryptech_console

Username: wheel
Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding

cryptech> keystore set pin wheel supersikritnewpw
cryptech> keystore set pin so 123456
cryptech> keystore set pin user 1234

cryptech> masterkey set EFBEADDE

Leave cryptech_muxd running, so that the PKCS #11 library can use it to talk to the HSM.

Configure OpenDNSSEC

mkdir /var/lib/opendnssec/cryptech

cat > /var/lib/opendnssec/unsigned/example.com << EOF
\$TTL 600
example.com.  IN SOA  hidden-master.example.com. hostmaster.example.com. (
                                2016041401 ; serial
                                720        ; 28800      ; refresh (8 hours)
                                720        ; 7200       ; retry (2 hours)
                                300        ; 604800     ; expire (1 week)
                                120        ; 3600       ; minimum (1 hour)

               NS      lab.cryptech.is.
test           A

chown -R opendnssec: /var/lib/opendnssec/*

OpenDNSSEC configuration changes


<Repository name="Cryptech">
        <TokenLabel>Cryptech Token</TokenLabel>

The PIN is whatever was chosen as PIN for 'user' above. The TokenLabel has to be "Cryptech Token", not something you choose.




<Zone name="example.com">
                        <Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter>
                        <Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter>

Initialization and signing

Make the deamons reload their configuration:

    service opendnssec-enforcer restart
    service opendnssec-signer restart

Initialize opendnssec:

    ods-ksmutil setup

That should be it!

See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. See /var/lib/opendnssec/signed/ for a signed example.com zone.

To list keys using ods-ksmutil, accessing the HSM using pkcs11 directly (rather than going through any of the opendnssec daemons), export the environment variables from /etc/default/opendnssec and run "ods-ksmutil keys list --verbose":

# ods-ksmutil keys list --verbose
SQLite database set to: /var/lib/opendnssec/kasp.db
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
example.com                     KSK           ready     waiting for ds-seen (active)   2048    8           7f9b9329480ebe5dc81054ccb293e261  Cryptech                          62642
example.com                     ZSK           active    2016-07-13 19:04:30 (retire)   1024    8           97e972633613bd605944a0531ff5399b  Cryptech                          56620

If the output for repository is "Cryptech NOT IN repository", ods-ksmutil has not been able to actually list the keys in the HSM.