OpenDNSSEC

A quick guide about how to migrate a signed zone from dnssec-tools to OpenDNSSEC.

# dnf install bind opendnssec

Initialize the SoftHSM slot. It will ask for two passwords to set to that slot:

# softhsm2-util --init-token --slot 0 --label "OpenDNSSEC"
# chown -R ods:ods /var/lib/softhsm/tokens/

Set the PIN to the password we entered initializing the SoftHSM slot

# vi /etc/opendnssec/conf.xml

Optionally, we can configure the parameter <Serial> to datecounter to get serials of the kind 2015052001:

# vi /etc/opendnssec/kasp.xml

Convert your current keys:

# softhsm2-keyconv --in Kexample.com.+008+35941.private --out ksk.pem
# softhsm2-keyconv --in Kexample.com.+008+30269.private --out zsk.pem

And import them:

# softhsm2-util --import ksk.pem --slot 0 --label KSK --id 01
# softhsm2-util --import zsk.pem --slot 0 --label ZSK --id 02

Initialize the DB, this will erase all the previous data if there were any:

# ods-ksmutil setup

Create a directory to place your unsigned zones:

# mkdir /var/opendnssec/unsigned
# cp example.com.zone /var/opendnssec/unsigned/example.com

Now, we tell OpenDNSSEC to add our zone. The enforcer service must be stopped (ods-control stop) so it won’t generate new keys for our zone.

# ods-ksmutil zone add -z example.com

Assign the keys we imported previously to our zone:

# ods-ksmutil key import --cka_id 01  --repository SoftHSM --zone example.com --keystate active --keytype ksk --bits 2048 --algorithm 8 --time 20150604
# ods-ksmutil key import --cka_id 02  --repository SoftHSM --zone example.com --keystate active --keytype zsk --bits 1024 --algorithm 8 --time 20150604

Now it’s time to start the services. When I’m writing this, there is a bug in one of the service units. The fix is in this bug report.

# systemctl enable ods-enforcerd.service ods-signerd.service
# systemctl start ods-enforcerd.service ods-signerd.service

Notify the enforcer:

# ods-ksmutil notify

Start the enforcer:

# ods-control start

For more information, this is a good guide:

http://www.internetsociety.org/deploy360/wp-content/uploads/2014/10/opendnssec-start-guide-draft-final.pdf

Advertisements

One thought on “OpenDNSSEC”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s