Installation notes OpenDNSSEC 1.0.0b5, Rick Zijlker, 2-11-2009

Basic installation is Ubuntu LTS Server (8.04.3), no extra packages, all upgrades applied.
We will install OpenDNSSEC 1.0.0b5
We have installed everything as root, in /usr/local/bin


-The following dependencies must be installed first:

	~# sudo su -
	~# apt-get install subversion
	~# apt-get install autoconf
	~# apt-get install automake
	~# apt-get install libtool
	~# apt-get install libxml2
	~# apt-get install libxml2-dev
	~# apt-get install openssl
	~# apt-get install sun-java6-jre sun-java6-plugin sun-java6-fonts
	~# apt-get install sqlite3
	~# apt-get install libsqlite3-dev
	~# apt-get install python-4suite-xml
	
	~# apt-get install ruby
	~# apt-get install rubygems
	~# cd /usr/local/bin
	~# wget http://rubyforge.org/frs/download.php/65630/dnsruby-1.39.gem
	~# sudo gem install /usr/local/bin/dnsruby-1.39.gem


-Next, we need to install some packages:

*ldns version 1.6.1 or later we download from NLNetLabs, and build ourselves:

	~# cd /usr/local/bin
	~# wget http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.1.tar.gz
	~# tar -xvf ldns-1.6.1.tar.gz
	~# cd ldns-1.6.1
	~# ./configure
	~# make
	~# make install

*botan version 1.9.0 we download and build ourselves. 

	~# cd /usr/local/bin
	~# wget http://files.randombit.net/botan/v1.9/Botan-1.9.0.tbz
	~# tar -xjvf Botan-1.9.0.tbz
	~# cd Botan-1.9.0
	~# python ./configure.py
	~# make
	~# make install

-Now we can download and build OpenDNSSEC:

	~# cd /usr/local/bin
	~# wget http://www.opendnssec.org/files/source/opendnssec-1.0.0b5.tar.gz
	~# tar -xvf opendnssec-1.0.0b5.tar.gz	
	~# cd /usr/local/bin/opendnssec-1.0.0b5
	~# ./configure --prefix=/usr/local/bin/opendnssec-b5 --sysconfdir=/etc --localstatedir=/var --with-botan=/usr/local/bin --with-ldns=/usr/local/bin
	~# make
	~# make install

-And we want the SofHSM too:

	~# cd /usr/local/bin
	~# wget http://www.opendnssec.org/files/source/softhsm-1.0.0.tar.gz
	~# tar -xvf softhsm-1.0.0.tar.gz
	~# cd softhsm-1.0.0/
	~# ./configure --prefix=/usr/local/bin/softhsm --sysconfdir=/etc --localstatedir=/var --with-botan=/usr/local/bin
	~# make
	~# make install

-Finaly, some post-installation to rebuild the dynamic linker caches:

	~# ldconfig


Ok, now we're done with building everything.
We first check everything is there, and browse through the configuration files to see what's in there.
We didn't change anything to the conf files, just see what's there.


Let's start with the SoftHSM

-The SoftHSM conf file is located in /etc/softhsm.conf

	~# more /etc/softhsm.conf
 
 	The file looks like this:

	# softHSM configuration file
	#
	0:/var/softhsm/slot0.db


-We need to add the path for the softhsm configuration to our enviroment do do anything with it:

	~# export SOFTHSM_CONF=/etc/softhsm.conf
	~# echo $SOFTHSM_CONF

	Last command should show:

	/etc/softhsm.conf


-Now we need to initialise the token. Use PIN-code like set in conf.xml (default 1234):

	~# cd /usr/local/bin/softhsm/bin/
	~# sudo ./softhsm --init-token --slot 0 --label "OpenDNSSEC"


 
******* Work-around: If entering PIN is crashing the initialisation, do the following ******

	Same error as in http://trac.opendnssec.org/ticket/8
	The init hangs after entering the pins:

		The SO PIN must have a length between 4 and 255 characters.
		Enter SO PIN:
		The user PIN must have a length between 4 and 255 characters.
		Enter user PIN:

	We resolved this by tracing the system call, and entered the pins there once again:

		~# strace /usr/local/opendnssec-b5/bin/softhsm --init-token --slot 0 --label OpenDNSSEC

	And then entered the SO pin and user PIN the system was waiting for.
	Closed the original softhsm command with control-c after that which seemed ok.
	This is apparently fixed in the next release and Botan 1.8.3 or later, but we didn't want to wait for that.

******  End of work-around ******


------  To add more slots ------ 


-Change the configuration file for softhsm:

	~# sudo vi /etc/softhsm.conf 
	
	Add an extra line for the new slot. For instance:
	1:/var/softhsm/slot1.db

-Now initialise this second slot:

	~# cd /usr/local/bin/softhsm/bin/
	~# ./softhsm --init-token --slot 1 --label "yourname"

-And add the new slot to the config of openDNSSEC to be able to use it

	~# vi /etc/opendnssec/conf.xml

        <Repository name="yourname">
                <Module>/home/rick/SoftHSM/lib/libsofthsm.so</Module>
                <TokenLabel>ricktest</TokenLabel>
                <PIN>1234</PIN>
        </Repository>


 Now you can refer to this new slot in your preferred policy.	


------ End of adding more slots ------



Now let's look at the OpenDNSSEC configuration, and try to sign a zone.

-Check the configuration files:

	~# cd /etc/opendnssec/
	~# more conf.xml
	~# more kasp.xml
	~# more zonelist.xml	



-Before we start everything up, let's create a zone that we want so sign:
	
	~# cd /var/opendnssec/unsigned/
	~# vi rick.nl

 and just create a simple zonefile, or in my case, I just coppied from an existing one
	

-Apparently, we need to use ksmutil to set the system up before running

	~# cd /usr/local/bin/opendnssec-b5/bin/
	~# ./ods-ksmutil setup

    If this fails and you get the following message:
	SQLite database set to: /var/opendnssec/kasp.db
	hsm_session_init(): PKCS#11 module load failed: /usr/local/bin/opendnssec-b5/lib/libsofthsm.so
 	
	Make sure the path to libsofthsm.so in /etc/opendnssec/conf.xml is correct.
	In my case I had to change it to:
		/usr/local/bin/softhsm/lib/libsofthsm.so


-Now that everything is ready to start up, let's add our test zone to the config:

	~# cd /usr/local/bin/opendnssec-b5/bin/
	~# ./ksmutil zone add -z rick.nl /var/opendnssec/unsigned/ /var/opendnssec/signed/

 and yes, that worked:

	~# grep rick /etc/opendnssec/zonelist.xml
        <Zone name="rick.nl">
                <SignerConfiguration>/var/opendnssec/signconf/rick.nl.xml</SignerConfiguration>
                                <File>/var/opendnssec/unsigned/rick.nl</File>
                                <File>/var/opendnssec/signed/rick.nl</File>


-This optional step is to check the SoftHSM database for its contents:

	~# sqlite3 -list /var/softhsm/slot0.db
	select * from Token;

	0|OpenDNSSEC
	1|66C782E8F95BA958F28ADAAE576C42A263C2449AF416FB844499BEF7FD41B2D0
	2|66C782E8F95BA958F28ADAAE576C42A263C2449AF416FB844499BEF7FD41B2D0

	.exit

-SQL commands for exploring the DB:
	.tables
	.schema

-Before starting up for the first time, generate keys and export the policies to the KASP DB:

	~# cd /usr/local/bin/opendnssec-b5/bin/
	~# ./ksmutil key generate --policy default --interval 1	
	~# ./ksmutil policy export -a

-You can check if the keys have been generated with the following command:

	~# ./ods-hsmutil list

	Listing keys in all repositories.
	4 keys found.

	Repository            ID                                Type
	----------            --                                ----
	softHSM               5cfeb869c6cf147af378e89e4255e6e7  RSA/1024
	softHSM               ffedd7aa24e66b5a930cec741216277a  RSA/1024
	softHSM               734dd7ee488cc91f3238adfd7753957d  RSA/2048
	softHSM               b8f906d42c3cbde4446d5d3a3ce0d57f  RSA/2048

	
-Now we're readys to fire the system up:

	~# cd /usr/local/bin/opendnssec-b5/bin/
	~# ./ods-control start
	~# ./ods-control update

-And just sign the zone:

	~# ./ods-signer sign rick.nl

	*********** When no signconf found ***********
	Quote:
	"I found that killing the ods-enforcerd, running "ods-ksmutil update", then restarting the ods-enforcerd and ods-signer, and 
	running "update" in the ods-signer, seems to load the added zone successfully. "
	
	**********************************************

-The last command should've initiated signing of rick.nl. Let's check the log:

	~# cat /var/log/syslog

	Oct 22 15:33:15 OpenDNSSEC ods-signerd: Received command: 'sign rick.nl'
	Oct 22 15:33:15 OpenDNSSEC ods-signerd: Scheduling task to sign zone rick.nl at 1256207799.99 with resign time 7200


It worked!
There's a signed zone in /var/opendnssec/signed/ :

	~# ls -la /var/opendnssec/signed/
	total 16
	drwxr-xr-x 2 root root 4096 2009-09-09 11:44 .
	drwxr-xr-x 6 root root 4096 2009-09-10 09:44 ..
	-rw-r--r-- 1 root root 6817 2009-09-09 11:44 rick.nl	

and a configuration for the zone according to the default policy is present in /

	~# ls -la /var/opendnssec/signconf/
	total 12
	drwxr-xr-x 2 root root 4096 2009-09-10 09:44 .
	drwxr-xr-x 6 root root 4096 2009-09-10 09:44 ..
	-rw-r--r-- 1 root root 1264 2009-09-09 11:44 rick.nl.xml

The zone in the /signed directory is signed with NSEC3 and everything seems fine.

And after 1 day, the system is still running according to syslog:

	~# cat /var/log/syslog
	Sep 10 10:35:45 OpenDNSSEC keygend: Reading config "/etc/opendnssec/conf.xml"
	Sep 10 10:35:45 OpenDNSSEC keygend: Reading config schema "/usr/local/opendnssec/share/opendnssec/conf.rng"
	Sep 10 10:35:45 OpenDNSSEC keygend: Key Generation Interval: 180
	Sep 10 10:35:45 OpenDNSSEC keygend: Communication Interval: 3600
	Sep 10 10:35:45 OpenDNSSEC keygend: HSM Backup Interval: 259200
	Sep 10 10:35:45 OpenDNSSEC keygend: SQLite database set to: /var/opendnssec/kasp.db
	Sep 10 10:35:45 OpenDNSSEC keygend: Log User set to: local0
	Sep 10 10:35:45 OpenDNSSEC keygend: Switched log facility to: local0
	Sep 10 10:35:45 OpenDNSSEC keygend: Connecting to Database...
	Sep 10 10:35:45 OpenDNSSEC keygend: Policy default found.
	Sep 10 10:35:45 OpenDNSSEC keygend: Key sharing is Off.
	Sep 10 10:35:45 OpenDNSSEC keygend: Disconnecting from Database...
	Sep 10 10:35:45 OpenDNSSEC keygend: Sleeping for 180 seconds.

So, next step is to see if it keeps running, and do the rollovers.
Next report will be on that, as it implies changing the config parameters.