The security/opendnssec port

opendnssec-2.1.13-sqlite3 – open-source turn-key solution for DNSSEC (cvsweb github mirror)


OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
It secures zone data just before it is published in an authoritative
name server.
WWW: https://www.opendnssec.org/


| Running ${PKGSTEM} on OpenBSD

Getting started
This is a summary of steps needed to get OpenDNSSEC up and running in a
basic state using SoftHSM as the key storage backend.

Initial setup of SoftHSM
Install softhsm2 package:

    # pkg_add softhsm2

Create /var/opendnssec/softhsm/ directory for token storage, and instruct
SoftHSM to use this location:

    # install -d -o _opendnssec -g _opendnssec -m 700 /var/opendnssec/softhsm/

    # sed -i "s#/var/db/softhsm/tokens#/var/opendnssec/softhsm#g" \

Choose preferred token storage method, either 'file' (default) or 'db', e.g.:

    # sed -i "s#objectstore.backend = file#objectstore.backend = db#g" \

Initialize SoftHSM token (here assuming you are using slot 0):

    # doas -u _opendnssec softhsm2-util --init-token --slot 0 \
        --label OpenDNSSEC

You will need to enter Security Officer (SO) PIN and user PIN.
The SO PIN can be used to re-initalize the token. User PIN will be used
by OpenDNSSEC for accessing SoftHSM.

User PIN and token label must be reflected in appropriate sections
of /etc/opendnssec/conf.xml:

    # grep /etc/opendnssec/conf.xml

    # grep TokenLabel /etc/opendnssec/conf.xml

Verify OpenDNSSEC has access to SoftHSM token:

        # doas -u _opendnssec ods-hsmutil info
        Repository: SoftHSM
		Module:		/usr/local/lib/softhsm/libsofthsm2.so
		Slot:		1557156002
		Token Label:	OpenDNSSEC
		Manufacturer:	SoftHSM project
		Model:		SoftHSM v2
		Serial:		e1a305015cd050a2

Verify token:

	# doas -u _opendnssec softhsm2-util --show-slots
        Available slots:
        Slot 1557156002
            Slot info:
                Description:      SoftHSM slot ID 0x5cd050a2
                Manufacturer ID:  SoftHSM project
                Hardware version: 2.6
                Firmware version: 2.6
                Token present:    yes
            Token info:
                Manufacturer ID:  SoftHSM project
                Model:            SoftHSM v2
                Hardware version: 2.6
                Firmware version: 2.6
                Serial number:    e1a305015cd050a2
                Initialized:      yes
                User PIN init.:   yes
                Label:            OpenDNSSEC

Test SoftHSM:

	# doas -u _opendnssec ods-hsmutil test SoftHSM

Speed-test SoftHSM, if needed:

        # doas -u _opendnssec ods-hsmspeed -r SoftHSM -i 1000 -s 2048 -t 1

Bootstrapping OpenDNSSEC

Check if the configuration is valid:

    # doas -u _opendnssec ods-kaspcheck
    INFO: The XML in /etc/opendnssec/conf.xml is valid
    ERROR: SQLite datastore (/var/opendnssec/kasp.db) does not exist
    INFO: The XML in /etc/opendnssec/kasp.xml is valid
    INFO: The XML in /etc/opendnssec/zonelist.xml is valid

Create an initial KASP database (if you are running mysql flavor, first
you will need to configure mariadb-server and modify  in

    # doas -u _opendnssec ods-enforcer-db-setup
    *WARNING* This will erase all data in the database; are you sure? [y/N] y
    Database setup successfully.

Start OpenDNSSEC:

    # rcctl start opendnssec

Import policy:

    # doas -u _opendnssec ods-enforcer policy import
    Created policy default successfully

Check policy:

    # doas -u _opendnssec ods-enforcer policy list
    Policy:                         Description:
    default                         ECDSAP256SHA256 NSEC3 KSK1Y ZSK90D

Copy an unsigned zone file into the unsigned/ directory:

    # cp /example.com /var/opendnssec/unsigned/

Import zones from zonelist.xml:

    # doas -u _opendnssec ods-enforcer zonelist import
    Zone example.com created successfully

Or add the zone from the command line:

    # doas -u _opendnssec ods-enforcer zone add --zone example.com
    input is set to /var/opendnssec/unsigned/example.com.
    output is set to /var/opendnssec/signed/example.com.
    Zone example.com added successfully

Check the zone:

    # doas -u _opendnssec ods-enforcer zone list
    Zone:                           Policy:       Next change:
    example.com                     default       Fri Nov 16 14:50:25 2018

List the keys:

    # doas -u _opendnssec ods-enforcer key list
    Zone:                           Keytype: State:    Date of next transition:
    example.com                     KSK      publish   2018-11-16 14:50:25
    example.com                     ZSK      ready     2018-11-16 14:50:25

After the KSK state transitions to "waiting for ds-seen", export the DS record:

    # doas -u _opendnssec ods-enforcer key list
    example.com                     KSK      ready     waiting for ds-seen
    example.com                     ZSK      active    2019-02-14 00:50:25

    # doas -u _opendnssec ods-enforcer key export --zone example.com \
        --keystate ready --keytype KSK --ds
    ;ready KSK DS record (SHA256):
    example.com.    600     IN      DS      65331 13 2 

Before submitting DS record to the parent zone, run:

    # doas -u _opendnssec \
        ods-enforcer key ds-submit --zone example.com --keytag 65331

Then submit the DS record to the parent zone.

When DS RR appears in the parent zone, activate the KSK:

    # doas -u _opendnssec ods-enforcer key ds-seen --zone example.com --keytag 65331
    1 KSK matches found.
    1 KSKs changed.
    # ods-enforcer key list -v
    Zone:                           Keytype: State:    Date of next transition:
    example.com                     KSK      active    2018-11-17 20:07:31
    example.com                     ZSK      active    2018-11-17 20:07:31

The signed zone will appear in /var/opendnssec/signed/ directory
or will be transferred to your authoritative DNS server, depending
on the zone output configuration.

Upgrading from version 1.4.x to 2.x
OpenDNSSEC enforcer database migration is required if you are upgrading from
1.4.x to 2.x. Read ${PREFIX}/share/doc/opendnssec/MIGRATION
for more information.

Database conversion scripts
Note that OpenDNSSEC database conversion scripts are installed in
${PREFIX}/sbin and renamed:
    convert_mysql_to_sqlite to ods-convert_mysql_to_sqlite
    convert_sqlite_to_mysql to ods-convert_sqlite_to_mysql


Pavel Korovin



Library dependencies

Build dependencies

Test dependencies