[Cryptech Core] quick notes for opendnssec on alpha

Fredrik Thulin fredrik at thulin.net
Tue Jun 28 19:01:02 UTC 2016

Previous message (by thread): [Cryptech Core] support for m of n event splitting?
Next message (by thread): [Cryptech Core] zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all

I believe we're getting close to a working DNSSEC signer using OpenDNSSEC and 
the Alpha board. On today's engineering chat I said I would do a quick writeup 
on how to get a debug/development setup so that others can help fix and test 
stuff (e.g. at the moment OpenDNSSEC generates keys, but then doesn't find 
them).

I use Ubuntu 16.04 in a Virtualbox VM with the USER USB attached to it.


Commands:

apt-get install opendnssec opensc

cat > /etc/default/opendnssec << EOF
PKCS11SPY=/path/to/cryptech/src/sw/pkcs11/pkcs11.so
#PKCS11SPY_OUTPUT=logfile
PKCS11_DATABASE=/var/lib/opendnssec/cryptech/p11.db
EOF

mkdir /var/lib/opendnssec/cryptech

cat > /var/lib/opendnssec/unsigned/example.com << EOF
$TTL 600
example.com.		IN SOA	hidden-master.example.com. hostmaster.example.com. (
				2016041401 ; serial
				720        ; 28800      ; refresh (8 hours)
				720        ; 7200       ; retry (2 hours)
				300        ; 604800     ; expire (1 week)
				120         ; 3600       ; minimum (1 hour)
				)

			NS	lab.cryptech.is.
test			A	127.0.0.1
EOF

chown -R opendnssec: /var/lib/opendnssec/*



OpenDNSSEC configuration changes:

/etc/opendnssec/conf.xml:

                <Repository name="Cryptech">
                        <!-- <Module>/path/to/cryptech/src/sw/pkcs11/
pkcs11.so</Module> -->
                        <Module>/usr/lib/x86_64-linux-gnu/pkcs11-spy.so</
Module>
                        <TokenLabel>Cryptech Token</TokenLabel>
                        <PIN>1234</PIN>
                        <SkipPublicKey/>
                </Repository>


(the TokenLabel has to be Cryptech Token, not something you choose).

/etc/opendnssec/kasp.xml:

s/SoftHSM/Cryptech/

/etc/opendnssec/zonelist.xml:

        <Zone name="example.com">
                <Policy>lab</Policy>
                <SignerConfiguration>/var/lib/opendnssec/signconf/
example.com.xml</SignerConfigur\
ation>
                <Adapters>
                        <Input>
                                <Adapter type="File">/var/lib/opendnssec/
unsigned/example.com</Ad\
apter>
                        </Input>
                        <Output>
                                <Adapter type="File">/var/lib/opendnssec/
signed/example.com</Adap\
ter>
                        </Output>
                </Adapters>
        </Zone>



Initialization:


ods-ksmutil setup


That should be it. See /var/log/syslog for output, including pkcs11-spy 
logging.

To list keys, apparently by accessing the HSM using pkcs11 directly (rather 
than going through the opendnssec daemons) export the env variables from /etc/
default/opendnssec and run "ods-ksmutil keys list --verbose".

/Fredrik

Previous message (by thread): [Cryptech Core] support for m of n event splitting?
Next message (by thread): [Cryptech Core] zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Core mailing list