DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev03
Before you start, you'll need
- A Cryptech Alpha board, preferrably revision "rev03"
- APT on the host system configured to find packages in the Cryptech repository, see BinaryPackages for instructions
apt-get install cryptech-alpha opendnssec opensc
Once you have the software package installed, you may need to upgrade your HSM's firmware.
Configure the HSM
For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.
# eval $(cryptech_probe)
# cryptech_muxd &
# cryptech_console
Username: wheel
Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
cryptech> keystore set pin wheel supersikritnewpw
cryptech> keystore set pin so 123456
cryptech> keystore set pin user 1234
cryptech> masterkey set EFBEADDE
^C
Leave cryptech_muxd
running, so that the PKCS #11 library can use it to talk to the HSM.
Configure OpenDNSSEC
mkdir /var/lib/opendnssec/cryptech
cat > /var/lib/opendnssec/unsigned/example.com << EOF
\$TTL 600
example.com. IN SOA hidden-master.example.com. hostmaster.example.com. (
2016041401 ; serial
720 ; 28800 ; refresh (8 hours)
720 ; 7200 ; retry (2 hours)
300 ; 604800 ; expire (1 week)
120 ; 3600 ; minimum (1 hour)
)
NS lab.cryptech.is.
test A 127.0.0.1
EOF
chown -R opendnssec: /var/lib/opendnssec/*
OpenDNSSEC configuration changes
/etc/opendnssec/conf.xml:
<Repository name="Cryptech">
<Module>/usr/lib/libcryptech-pkcs11.so</Module>
<TokenLabel>Cryptech Token</TokenLabel>
<PIN>1234</PIN>
<SkipPublicKey/>
</Repository>
The PIN is whatever was chosen as PIN for 'user' above. The TokenLabel has to be "Cryptech Token", not something you choose.
/etc/opendnssec/kasp.xml:
s/SoftHSM/Cryptech/
/etc/opendnssec/zonelist.xml:
<Zone name="example.com">
<Policy>lab</Policy>
<SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
<Adapters>
<Input>
<Adapter type="File">/var/lib/opendnssec/unsigned/example.com</Adapter>
</Input>
<Output>
<Adapter type="File">/var/lib/opendnssec/signed/example.com</Adapter>
</Output>
</Adapters>
</Zone>
Initialization and signing
Make the deamons reload their configuration:
service opendnssec-enforcer restart
service opendnssec-signer restart
Initialize opendnssec:
ods-ksmutil setup
That should be it!
See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. See /var/lib/opendnssec/signed/ for a signed example.com zone.
To list keys using ods-ksmutil, accessing the HSM using pkcs11 directly (rather than going through any of the opendnssec daemons), export the environment variables from /etc/default/opendnssec and run "ods-ksmutil keys list --verbose":
# ods-ksmutil keys list --verbose
SQLite database set to: /var/lib/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
example.com KSK ready waiting for ds-seen (active) 2048 8 7f9b9329480ebe5dc81054ccb293e261 Cryptech 62642
example.com ZSK active 2016-07-13 19:04:30 (retire) 1024 8 97e972633613bd605944a0531ff5399b Cryptech 56620
If the output for repository is "Cryptech NOT IN repository", ods-ksmutil has not been able to actually list the keys in the HSM.