Using DTC with OpenDNSSEC - niclabs/dtc GitHub Wiki

Based on the description on its page, OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. The goal of the project is to make DNSSEC easy to deploy.

The current version of the DTC library is compatible with OpenDNSSEC v2.1.3.

The following steps show how to use DTC Library with OpenDNSSEC. They are based on OpenDNSSEC quick start guide .

Install OpenDNSSEC

Use the following commands to install OpenDNSSEC 2.1.3:

sudo apt install opendnssec

Press OK when needed and wait for the installation to finish.

Configure OpenDNSSEC with DTC library

Then, edit the file /etc/opendnssec/conf.xml. You could need to be superuser to do this. Comment or remove the first <Repository> in <RepositoryList> tag (it is SoftHSM, another PKCS11 library that we are not going to use) and add the following lines inside <RepositoryList>:

<Repository name="DTC">
    <Module>/path/to/dtc.so</Module>
    <TokenLabel>TCBHSM</TokenLabel>
    <PIN>1234</PIN>
    <SkipPublicKey/>
</Repository>

Remember to change /path/to/dtc.so to your current path to dtc.so.

You also need to replace all the strings "SoftHSM" for "DTC" on /etc/opendnssec/kasp.xml.

Initialize OpenDNSSEC

Then, initialize the OpenDNSSEC database using the following command:

sudo ods-enforcer-db-setup

Press "y" when the software asks for erasing data in the database.

On this step, make sure you have compiled the library, created and moved the configurations and deployed the nodes with real or virtual machines or with Docker. Check also that the sqlite3 database has an absolute route in the library configuration.

You can now start ODS signer and enforcer daemons, and then load the policies:

ods-control start
ods-enforcer policy import

The system should report the following messages:

Created policy default successfully
Created policy lab successfully

Signing a zone

Now you need to move the zone you want to sign to /var/lib/opendnssec/unsigned/ folder. If you don't have a zone, you can try with example.com zone on DTC Repository.

Finally, instruct OpenDNSSEC to sign the zone using the following command:

ods-enforcer zone add -z example.com -p default

You need t use default instead of lab because lab creates a lot of keys with a short period of expiration, and is not optimized for DTC usage. The keys of DTC are slower to generate compared with regular RSA keys because of the requisites the cryptographic primitives have when they are generated. However, the key creation is a process relatively rare, so this should not be a problem on production use.

Eventually (15 or 20 minutes later), you will have our signed zone on /var/lib/opendnssec/signed/ folder.

If you want to check the OpenDNSSEC logs, you need to check the output of /var/log/syslog file. the DTC log is saved by default in /tmp/dtc.log, but its route can be changed in the library configuration.

NIC Research Labs - Universidad de Chile

⚠️ **GitHub.com Fallback** ⚠️