[Opendnssec-user] Step by step Ubuntu 10.10 - signs zone but queries don't work

Derek Brodeur dazednkonfused at gmail.com
Thu Mar 8 23:14:44 UTC 2012


Hello,

I think I am close to getting them working but when I do +dnssec queries, I
still get nothing. After these steps, I'm getting the following errors:

Mar  8 15:05:18 ubuntu ods-auditor[13338]: example.com : SOA differs : from
2012030506 to 2012030800
---- I have datecounter as my serial.... if I change this to 2012030800 or
whatever the current date is, will this synch up?

rndc: could not load rndc configuration
rndc: error: none:0: open: /etc/bind/rndc.key: permission denied
---- this periodically spams my screen... what is going on with these
errors? what permissions does this .key file need...?

I kind of followed the guide/instructions located as part of the DNSSEC
workshop...specifically this file:

https://nsrc.org/workshops/2011/dakar-dnssec/raw-attachment/wiki/Agenda/opendnssec-howoto.txt

STEPS TAKEN TO SETUP OPENDNSSEC:

At this point zone in /unsigned gets signed and move to /tmp and /signconf
files are also generated. The zone is signed in /signed but still unable to
fill +dnssec queries.


Add ppa repository
sudo add-apt-repository ppa:pkg-opendnssec/ppa
sudo apt-get update
Ubuntu Software center:
Sudo apt-get install libldns1
Sudo apt-get install rubygems
Sudo apt-get install dnsruby
Sudo apt-get install ruby-dev
Sudo apt-get install libopenssl-ruby
Sudo apt-get install sqlite3
Sudo apt-get install Libsqlite3-dev
Sudo apt-get install opendnssec
-------------------------------------------------
SoftHSM is a implementation of a cryptographic store accessible through
PKCS#11
Basically it virtualizes having a ‘smart card’ in order to save on
time/money and allows you to use this virtualized smart card to sign zones.
So we install and then initialize a token.

Sudo apt-get install libbotan-1.10-0
Sudo apt-get install softhsm

Sudo chmod –R 755 /etc/softhsm
Sudo chmod –R 755 /var/lib/softhsm
softhsm --init-token --slot 0 --label OpenDNSSEC
Pw=1234, pw=1234
-------------------------------------------------
Sudo chmod –R 755 opendnssec
Sudo nano /etc/opendnssec/kasp.xml
Comment out <NSEC3>---through---</NSEC3>
Add <NSEC></NSEC> below it
Go down to <zone> section, change unixtime  datecounter
NOTE: had issues with the serial/time several times, not sure if I ever got
this fixed but this was the solution told
Sudo nano /etc/opendnssec/conf.xml
Remove comments surrounding the first respository - softHSM
NOTE: tokenlabel value must match what was previously used when
initializing the token (Ex: OpenDNSSEC)
-------------------------------------------------
Ods-ksmutil setup
Y at the warning
Sudo nano /etc/bind/named.conf.local
In zone example.com add:
Allow-transfer { 127.0.0.1;};
Sudo rndc reconfig
Sudo chmod 755 /var/lib/opendnssec
Copy your unsigned zone file into the unsigned folder
EX: “Sudo cp /etc/bind/zones/example.com /var/lib/opendnssec/unsigned”
NOTE: This zone file should not contain any BIND DNSSEC info…keys…etc
sudo ods-ksmutil zone add --zone example.com
-------------------------------------------------
Sudo nano /etc/opendnssec/conf.xml
Remove comment lines surrounding:
“<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>”
Remove comment lines surrounding:
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
Cd /etc
Sudo chown –R opendnssec:opendnssec opendnssec
Cd /var/lib
Sudo chown –R opendnssec:opendnssec opendnssec
cd /etc
Sudo chmod –R 777 softhsm

-------------------------------------------------
Sudo adduser opendnssec softhsm
Sudo chown -R opendnssec /var/lib/softhsm/
Sudo nano /etc/bind/named.conf.options
Add “dnssec-enable yes;” in the options
Restart bind
Sudo ods-ksmutil setup
Sudo ods-control start
Sudo ods-sign sign example.com

NOTE: At this point zone in /unsigned gets signed and move to /tmp and
/signconf files are also generated. The zone is signed in /signed but still
unable to fill +dnssec queries.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120308/03cf94c2/attachment.htm>


More information about the Opendnssec-user mailing list