On Mon, 6 Dec 2021, 18:51 Stuart Henderson, <[email protected]> wrote:
It would be helpful to have a set of commands to type (starting after
"pkg_add opendnssec" i.e. showing the required configuration from scratch).
Starting from a new installation of stable 7.0 amd64 after having just
installed opendnssec from packages. (Because misses latest commit)
Will now paste from the readme file as it was The best description of steps
I found and it proved sufficient.
Getting started
===============
This is a summary of steps needed to get OpenDNSSEC up and running in a
basic state using SoftHSM as the key storage backend.
Initial setup of SoftHSM
------------------------
Install softhsm2 package:
# pkg_add softhsm2
Create /var/opendnssec/softhsm/ directory for token storage, and instruct
SoftHSM to use this location:
# install -d -o _opendnssec -g _opendnssec -m 700 /var/opendnssec/softhsm/
# sed -i "s#/var/db/softhsm/tokens#/var/opendnssec/softhsm#g" \
/etc/softhsm2.conf
##** I am using default, file storage.
Choose preferred token storage method, either 'file' (default) or 'db', e.g.:
# sed -i "s#objectstore.backend = file#objectstore.backend = db#g" \
/etc/softhsm2.conf
Initialize SoftHSM token (here assuming you are using slot 0):
# doas -u _opendnssec softhsm2-util --init-token --slot 0 \
--label OpenDNSSEC
You will need to enter Security Officer (SO) PIN and user PIN.
The SO PIN can be used to re-initalize the token. User PIN will be used
by OpenDNSSEC for accessing SoftHSM.
User PIN and token label must be reflected in appropriate sections
of /etc/opendnssec/conf.xml:
# grep /etc/opendnssec/conf.xml
<PIN>MySecretUserPIN</PIN>
# grep TokenLabel /etc/opendnssec/conf.xml
<TokenLabel>OpenDNSSEC</TokenLabel>
Verify OpenDNSSEC has access to SoftHSM token:
# doas -u _opendnssec ods-hsmutil info
Repository: SoftHSM
Module: /usr/local/lib/softhsm/libsofthsm2.so
Slot: 1557156002
Token Label: OpenDNSSEC
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: e1a305015cd050a2
Verify token:
# doas -u _opendnssec softhsm2-util --show-slots
Available slots:
Slot 1557156002
Slot info:
Description: SoftHSM slot ID 0x5cd050a2
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: e1a305015cd050a2
Initialized: yes
User PIN init.: yes
Label: OpenDNSSEC
Test SoftHSM:
# doas -u _opendnssec ods-hsmutil test SoftHSM
Speed-test SoftHSM, if needed:
# doas -u _opendnssec ods-hsmspeed -r SoftHSM -i 1000 -s 2048 -t 1
Bootstrapping OpenDNSSEC
------------------------
Check if the configuration is valid:
# doas -u _opendnssec ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
ERROR: SQLite datastore (/var/opendnssec/kasp.db) does not exist
INFO: The XML in /etc/opendnssec/kasp.xml is valid
INFO: The XML in /etc/opendnssec/zonelist.xml is valid
Create an initial KASP database (if you are running mysql flavor, first
you will need to configure mariadb-server and modify <Datastore> in
/etc/opendnssec/conf.xml):
# doas -u _opendnssec ods-enforcer-db-setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
Database setup successfully.
##** Not on readme file and with the purpose of using ed25519 keys as
default **##
Edit /etc/opendnssec/kasp.xml to define our intended default key algorithm
Make sure to edit the block of the default profile which will be used.
[...]
<KSK>
<Algorithm length="256">15</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<ZSK>
<Algorithm length="256">15</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
[...]
Write and quiet
##** End of steps not in the readme doc. **##
Start OpenDNSSEC:
# rcctl start opendnssec
Import policy:
# doas -u _opendnssec ods-enforcer policy import
Created policy default successfully
Check policy:
# doas -u _opendnssec ods-enforcer policy list
Policy: Description:
default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D
Copy an unsigned zone file into the unsigned/ directory:
# cp <somewhere>/example.com /var/opendnssec/unsigned/
##** don't import but add from command line described next. **##
Import zones from zonelist.xml:
# doas -u _opendnssec ods-enforcer zonelist import
Zone example.com created successfully
##** Add manually and define policy to be used in new zone, the policy
we edited to use algorithm 15. **##
Or add the zone from the command line:
# doas -u _opendnssec ods-enforcer zone add --zone example.com
--policy default
input is set to /var/opendnssec/unsigned/example.com.
output is set to /var/opendnssec/signed/example.com.
Zone example.com added successfully
Check the zone:
# doas -u _opendnssec ods-enforcer zone list
Zones:
Zone: Policy: Next change:
example.com default Fri Nov 16 14:50:25 2018
List the keys:
##** Append -v to show algorithm of keys generated. Should sho
# doas -u _opendnssec ods-enforcer key list -v
Keys:
Zone: Keytype: State: Date of next
transition: Size Algorithm
example.com KSK publish 2018-11-16
14:50:25 256 15
example.com ZSK ready 2018-11-16
14:50:25 256 15
##** end
For the purpose intended no need to go further. Ed25519 keys have been
created.
Also to list keys generated and stored in the repository just do
# doas -u _opendnssec ods-hsmutil list SoftHSM
Should list keys of type EDDSA/255 including the ones above shown for
current KK and ZSK keys.
I believe there were no other changes from default config or steps not in
readme doc other than what was described above.
By the way, unbound on openbsd will not be able to verify the domain that
uses ed25519 keys, algorithm 15, but powerdns recursor from packages does.
Also major online providers and ISPs will verify it as safe, dnsviz.net and
zonemaster.net will correctly verify configuration and show details.
-------
