opendnssec

open-source turn-key solution for DNSSEC

WWW CVSWeb GITHub
  1. Package version
    opendnssec-2.1.13-sqlite3
  2. Maintainer
    Pavel Korovin

OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
It secures zone data just before it is published in an authoritative
name server.

+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

Getting started
===============
This is a summary of steps needed to get OpenDNSSEC up and running in a
basic state using SoftHSM as the key storage backend.

Initial setup of SoftHSM
------------------------
Install softhsm2 package:

# pkg_add softhsm2

Create /var/opendnssec/softhsm/ directory for token storage, and instruct
SoftHSM to use this location:

# install -d -o _opendnssec -g _opendnssec -m 700 /var/opendnssec/softhsm/

# sed -i "s#/var/db/softhsm/tokens#/var/opendnssec/softhsm#g" \
/etc/softhsm2.conf

Choose preferred token storage method, either 'file' (default) or 'db', e.g.:

# sed -i "s#objectstore.backend = file#objectstore.backend = db#g" \
/etc/softhsm2.conf

Initialize SoftHSM token (here assuming you are using slot 0):

# doas -u _opendnssec softhsm2-util --init-token --slot 0 \
--label OpenDNSSEC

You will need to enter Security Officer (SO) PIN and user PIN.
The SO PIN can be used to re-initalize the token. User PIN will be used
by OpenDNSSEC for accessing SoftHSM.

User PIN and token label must be reflected in appropriate sections
of /etc/opendnssec/conf.xml:

# grep /etc/opendnssec/conf.xml
<PIN>MySecretUserPIN</PIN>

# grep TokenLabel /etc/opendnssec/conf.xml
<TokenLabel>OpenDNSSEC</TokenLabel>

Verify OpenDNSSEC has access to SoftHSM token:

# doas -u _opendnssec ods-hsmutil info
Repository: SoftHSM
Module: /usr/local/lib/softhsm/libsofthsm2.so
Slot: 1557156002
Token Label: OpenDNSSEC
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: e1a305015cd050a2

Verify token:

# doas -u _opendnssec softhsm2-util --show-slots
Available slots:
Slot 1557156002
Slot info:
Description: SoftHSM slot ID 0x5cd050a2
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: e1a305015cd050a2
Initialized: yes
User PIN init.: yes
Label: OpenDNSSEC

Test SoftHSM:

# doas -u _opendnssec ods-hsmutil test SoftHSM

Speed-test SoftHSM, if needed:

# doas -u _opendnssec ods-hsmspeed -r SoftHSM -i 1000 -s 2048 -t 1

Bootstrapping OpenDNSSEC
------------------------

Check if the configuration is valid:

# doas -u _opendnssec ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
ERROR: SQLite datastore (/var/opendnssec/kasp.db) does not exist
INFO: The XML in /etc/opendnssec/kasp.xml is valid
INFO: The XML in /etc/opendnssec/zonelist.xml is valid

Create an initial KASP database (if you are running mysql flavor, first
you will need to configure mariadb-server and modify <Datastore> in
/etc/opendnssec/conf.xml):

# doas -u _opendnssec ods-enforcer-db-setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
Database setup successfully.

Start OpenDNSSEC:

# rcctl start opendnssec

Import policy:

# doas -u _opendnssec ods-enforcer policy import
Created policy default successfully

Check policy:

# doas -u _opendnssec ods-enforcer policy list
Policy: Description:
default ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D

Copy an unsigned zone file into the unsigned/ directory:

# cp <somewhere>/example.com /var/opendnssec/unsigned/

Import zones from zonelist.xml:

# doas -u _opendnssec ods-enforcer zonelist import
Zone example.com created successfully

Or add the zone from the command line:

# doas -u _opendnssec ods-enforcer zone add --zone example.com
input is set to /var/opendnssec/unsigned/example.com.
output is set to /var/opendnssec/signed/example.com.
Zone example.com added successfully

Check the zone:

# doas -u _opendnssec ods-enforcer zone list
Zones:
Zone: Policy: Next change:
example.com default Fri Nov 16 14:50:25 2018

List the keys:

# doas -u _opendnssec ods-enforcer key list
Keys:
Zone: Keytype: State: Date of next transition:
example.com KSK publish 2018-11-16 14:50:25
example.com ZSK ready 2018-11-16 14:50:25

After the KSK state transitions to "waiting for ds-seen", export the DS record:

# doas -u _opendnssec ods-enforcer key list
Keys:
Zone:
example.com KSK ready waiting for ds-seen
example.com ZSK active 2019-02-14 00:50:25

# doas -u _opendnssec ods-enforcer key export --zone example.com \
--keystate ready --keytype KSK --ds
;ready KSK DS record (SHA256):
example.com. 600 IN DS 65331 13 2 <DSKEY>

Before submitting DS record to the parent zone, run:

# doas -u _opendnssec \
ods-enforcer key ds-submit --zone example.com --keytag 65331

Then submit the DS record to the parent zone.

When DS RR appears in the parent zone, activate the KSK:

# doas -u _opendnssec ods-enforcer key ds-seen --zone example.com --keytag 65331
1 KSK matches found.
1 KSKs changed.
# ods-enforcer key list -v
Keys:
Zone: Keytype: State: Date of next transition:
example.com KSK active 2018-11-17 20:07:31
example.com ZSK active 2018-11-17 20:07:31

The signed zone will appear in /var/opendnssec/signed/ directory
or will be transferred to your authoritative DNS server, depending
on the zone output configuration.

Upgrading from version 1.4.x to 2.x
-----------------------------------
OpenDNSSEC enforcer database migration is required if you are upgrading from
1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION
for more information.

Database conversion scripts
---------------------------
Note that OpenDNSSEC database conversion scripts are installed in
${PREFIX}/sbin and renamed:
convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql

  • sqlite3
  • mysql

  • devel/cunit