Installation notes OpenDNSSEC 1.0a3, Antoin Verschuren, 09-09-2009 Basic installation is Ubuntu LTS Server (8.04.3), no extra packages, all upgrades applied. We will install OpenDNSSEC 1.0a3 We have installed everything as root, in root's homedir, but that obviously should be done according to system policy. -First install some things developers may have installed by default, but users generally don't: ~# apt-get install subversion ~# apt-get install autoconf ~# apt-get install automake ~# apt-get install libtool -Next, we need to install some packages OpenDNSSEC depends upon: *ldns version 1.6.0 or later we download from NLNetLabs, and build ourselves: ~# cd ~# wget http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.1.tar.gz ~# tar xjvf ldns-1.6.1.tar.gz ~# cd ldns-1.6.1 ~# ./configure ~# make ~# make install *libxml2: On our Ubuntu, we need both libxml2 and libxml2-dev: ~# apt-get install libxml2 ~# apt-get install libxml2-dev *botan version 1.8.3 or later we download and build ourselves. (Note, previous versions no longer work, see below): ~# wget http://files.randombit.net/botan/v1.8/Botan-1.8.3.tbz ~# tar xjvf Botan-1.8.3.tbz ~# cd Botan-1.8.3 ~# ./configure ~# make ~# make install *ruby, rubygems, dnsruby version 1.8 or later. ruby and rubygems are installed from Ubuntu packages, dnsruby by rubygems: ~# apt-get install ruby ~# apt-get install rubygems ~# gem install dnsruby *openssl ~# apt-get install openssl *The manual says to install java, which was allready done on our system: ~# apt-get install sun-java6-jre sun-java6-plugin sun-java6-fonts *sqlite3: On our Ubuntu, we need both sqlite3 and libsqlite3-dev: ~# apt-get install sqlite3 ~# apt-get install libsqlite3-dev * The Python XML library, python-4suite-xml: ~# apt-get install python-4suite-xml -Now we can download and build OpenDNSSEC: ~# cd ~# svn co http://svn.opendnssec.org/tags/OpenDNSSEC-1.0a3 opendnssec ~# cd opendnssec/ ~# sh autogen.sh ~# ./configure \ --prefix=/usr/local/opendnssec \ --sysconfdir=/etc \ --localstatedir=/var \ --with-ldns=/usr/local \ --with-botan=/usr/local ~# make ~# make install -And we want the SofHSM too: ~# cd ~# svn co http://svn.opendnssec.org/tags/softHSM-1.0.0-RC3 SoftHSM ~# cd SoftHSM/ ~# sh autogen.sh ~# ./configure \ --prefix=/usr/local/opendnssec \ --sysconfdir=/etc \ --localstatedir=/var \ --with-ldns=/usr/local \ --with-botan=/usr/local ~# make ~# make install -Finaly, some post-installation to rebuild the dynamic linker caches: ~# ldconfig Ok, now we're done with building everything. We first check everything is there, and browse through the configuration files to see what's in there. We didn't change anything to the conf files, just see what's there. Let's start with the SoftHSM -The SoftHSM conf file is located in /etc/softhsm.conf ~# more /etc/softhsm.conf The file looks like this: # softHSM configuration file # 0:/var/softhsm/slot0.db -We need to add the path for the softhsm configuration to our enviroment do do anything with it: ~# export SOFTHSM_CONF=/etc/softhsm.conf -Now we need to initialise the token: ~# softhsm --init-token --slot 0 --label OpenDNSSEC This went wrong for us. We got the same error as in http://trac.opendnssec.org/ticket/8 The init hangs after entering the pins: The SO PIN must have a length between 4 and 255 characters. Enter SO PIN: The user PIN must have a length between 4 and 255 characters. Enter user PIN: We resolved this by tracing the system call, and entered the pins there once again: ~# strace /usr/local/opendnssec/bin/softhsm --init-token --slot 0 --label OpenDNSSEC And then entered the SO pin and user PIN the system was waiting for. Closed the original softhsm command with control-c after that which seemed ok. This is apparently fixed in the next release and Botan 1.8.3 or later, but we didn't want to wait for that. Now let's look at the OpenDNSSEC configuration, and try to sign a zone. -Check the configuration files: ~# cd /etc/opendnssec/ ~# more conf.xml ~# more kasp.xml ~# more zonelist.xml again, we didn't change anything, using the defaults in there. -Before we start everything up, let's create a zone that we want so sign: ~# cd /var/opendnssec/unsigned/ ~# vi antointest.nl and just create a simple zonefile, or in my case, I just coppied from an existing one -Apparently, we need to use ksmutil to set the system up before running ~# cd /usr/local/opendnssec/bin/ ~# ./ksmutil setup -Now that everything is ready to start up, let's add our test zone to the config: ~# cd /usr/local/opendnssec/bin/ ~# ./ksmutil addzone antointest.nl and yes, that worked: ~# grep antointest /etc/opendnssec/zonelist.xml /var/opendnssec/signconf/antointest.nl.xml /var/opendnssec/unsigned/antointest.nl /var/opendnssec/signed/antointest.nl -Before starting up for the first time, export the policies to the KASP DB: ~# cd /usr/local/opendnssec/bin/ ~# ./ksmutil export -Now we're readys to fire the system up: ~# cd /usr/local/opendnssec/sbin/ ~# ./signer_engine ~# ./keygend ~# ./communicated Does it work ? Yes apparently it did. There's a signed zone in /var/opendnssec/signed/ : ~# ls -la /var/opendnssec/signed/ total 16 drwxr-xr-x 2 root root 4096 2009-09-09 11:44 . drwxr-xr-x 6 root root 4096 2009-09-10 09:44 .. -rw-r--r-- 1 root root 6817 2009-09-09 11:44 antointest.nl and a configuration for the zone according to the default policy is present in / ~# ls -la /var/opendnssec/signconf/ total 12 drwxr-xr-x 2 root root 4096 2009-09-10 09:44 . drwxr-xr-x 6 root root 4096 2009-09-10 09:44 .. -rw-r--r-- 1 root root 1264 2009-09-09 11:44 antointest.nl.xml The zone in the /signed directory is signed with NSEC3 and everything seems fine. We can also check if the SoftHSM did anything, by looking at the public keys in the DB: ~# /usr/local/opendnssec/bin/hsmutil list Listing keys in all repositories. 4 keys found. Repository ID Type ---------- -- ---- softHSM 5cfeb869c6cf147af378e89e4255e6e7 RSA/1024 softHSM ffedd7aa24e66b5a930cec741216277a RSA/1024 softHSM 734dd7ee488cc91f3238adfd7753957d RSA/2048 softHSM b8f906d42c3cbde4446d5d3a3ce0d57f RSA/2048 And after 1 day, the system is still running according to syslog: ~# cat /var/log/syslog Sep 10 10:35:45 OpenDNSSEC keygend: Reading config "/etc/opendnssec/conf.xml" Sep 10 10:35:45 OpenDNSSEC keygend: Reading config schema "/usr/local/opendnssec/share/opendnssec/conf.rng" Sep 10 10:35:45 OpenDNSSEC keygend: Key Generation Interval: 180 Sep 10 10:35:45 OpenDNSSEC keygend: Communication Interval: 3600 Sep 10 10:35:45 OpenDNSSEC keygend: HSM Backup Interval: 259200 Sep 10 10:35:45 OpenDNSSEC keygend: SQLite database set to: /var/opendnssec/kasp.db Sep 10 10:35:45 OpenDNSSEC keygend: Log User set to: local0 Sep 10 10:35:45 OpenDNSSEC keygend: Switched log facility to: local0 Sep 10 10:35:45 OpenDNSSEC keygend: Connecting to Database... Sep 10 10:35:45 OpenDNSSEC keygend: Policy default found. Sep 10 10:35:45 OpenDNSSEC keygend: Key sharing is Off. Sep 10 10:35:45 OpenDNSSEC keygend: Disconnecting from Database... Sep 10 10:35:45 OpenDNSSEC keygend: Sleeping for 180 seconds. So, next step is to see if it keeps running, and do the rollovers. Next report will be on that, as it implies changing the config parameters.