180 likes | 275 Views
OpenDNSSEC Deployment. Tianyi Xing. Roadmap . By mid-term Establish a DNSSEC server within the mobicloud system ( Hopfully be done by next week) Successfully installed at configuration stage
E N D
OpenDNSSEC Deployment Tianyi Xing
Roadmap • By mid-term • Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) • Successfully installed • at configuration stage • Configure the network to make sure DNSSEC server serve the right purpose in the mobicloud system (within 3 days) • By Final • Perfect its function • Dynamically cooperate with the user ID and IP address • Dynamically update the ip(ID) and domain pair • Documentation
OpenDNSSEC Working Flow • OpenDNSSEC is a complete DNSSEC solution • Completely automates the process of keeping track of keys and the signing of zones.
Components (contd.) • HSM • the key storage component (Usually in Hardware) • Performs cryptographic operations • Private keys will never appear outside the HSM • It can perform 1-14,000 signature per second • SoftHSM • SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface. • Uses Botan for its cryptographic operations and SQLite to store its key material.
Components (contd.) • KASP • Decides when zones are resigned • Decides when keys are rolled • Decides which keys are used • Signer Engine • Sort Rrsets • Sign RRSets • Keeps the RRSIGs up to day
Components • Enforcer • Deal with key rollover and key generation • Conf.xml <Enforcer> </Enforcer> • Signer • Construct signature records to include in to the zone file • Conf.xml <Signer></Signer>
Components • Auditor • Check a signed zone against the policy and the unsigned zone • Conf.xml <auditor></auditor>
OpenDNSSECpreparation • Hardware • Dell Server • Software • Xenserver • Ubuntu 10.10
Compile the OpenDNSSEC • Dependency • libxml2-dev • libldns-dev • Version must be later than 1.6.7 • Install the ldns 1.6.8 • Needs OpenSSl 1.0 • sqLite3 • libsqlite3-dev • rubygems • dnsruby
OpenDNSSEC Configuration • Conf.xml • Overall configuration of the system • Kasp.xml • Define the Policy of signing • Zonelint.xml • List all the zones that you are going to sign • Zonefetch.xml (optional) • Zone transfers
Conf.xml • /etc/opendnssec/conf.xml • Overall configuration of OpenDNSSEC • Logging facilities (syslog only so far) • System paths • Key repositories • Privileges • Database (all key and zone info is stored)
Kasp.xml • /etc/opendnssec/kasp.xml • Information included • security parameters used for signing zones • timing parameters used for signing zones
Zonelist.xml • /etc/opendnssec/kasp.xml • The zonelist.xml file is used when first setting up the system, but also used by theods-signerd when signing zones • Information • the zone’s DNS name • the policy from kasp.xml used to sign the zone • how to obtain the zone • how to publish the zone
Zonefetch.xml • Configuration about signing zones received from transfer (AXFR). • Information included • where to fetch zone data from • protection mechanisms to be used
SoftHSM installation • Dependency • Botan 1.8.5 later version • Don’t use yum, apt-get or any auto online installation. • Do download from here and install the botan http://botan.randombit.net/download.html
SoftHSM configuration • Add the tokens to the slots: /etc/softhsm.conf • The token databases does not exist at this stage. The given paths are just an indication to SoftHSM on where it should store the information for each token. Each token are now treated as uninitialized. • Initialize your tokens • Softhsm tool or PKCS#11 interface • Link to this library and use the PKCS#11 interface
Error during Start • ods-ksmutil setup • ods-control start • enforcer start fail • Signer start fail
Next Step work • Make the signer and enforcer successfully run • Cooperate with the DHCP Server to automatically add the zone and sign the zone with specific policy and key.