Cryptech Project - DNSSEChttps://wiki.cryptech.is/2017-05-13T21:34:00+00:00DNSSEC/Requirements2016-12-15T22:44:00+00:002016-12-15T22:44:00+00:00Cryptech Core Teamtag:wiki.cryptech.is,2016-12-15:/DNSSEC-Requirements<h1>DNSSEC Requirements</h1> <h2>Questions</h2> <ul> <li>Should we even support SHA-1?</li> <li>GOST?</li> </ul> <h2>Must implement</h2> <p>Target DNSSEC Algorithms:</p> <ul> <li>RSA/SHA-256 (RFC 5702)</li> <li>RSA/SHA-512 (RFC 5702)</li> </ul> <p>Algorithms:</p> <ul> <li>Hash: SHA-256</li> <li>Hash: SHA-512</li> <li>Sign: RSA</li> </ul> <p>Required PKCS11 Mechs:</p> <ul> <li>CKM_RSA_PKCS_KEY_PAIR_GEN</li> <li>CKM_SHA256_RSA_PKCS</li> <li>CKM_SHA512_RSA_PKCS</li> <li>CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)</li> <li>CKM_SHA256</li> <li>CKM_SHA512</li> </ul> <h2>Should implement</h2> <p>Target …</p><h1>DNSSEC Requirements</h1> <h2>Questions</h2> <ul> <li>Should we even support SHA-1?</li> <li>GOST?</li> </ul> <h2>Must implement</h2> <p>Target DNSSEC Algorithms:</p> <ul> <li>RSA/SHA-256 (RFC 5702)</li> <li>RSA/SHA-512 (RFC 5702)</li> </ul> <p>Algorithms:</p> <ul> <li>Hash: SHA-256</li> <li>Hash: SHA-512</li> <li>Sign: RSA</li> </ul> <p>Required PKCS11 Mechs:</p> <ul> <li>CKM_RSA_PKCS_KEY_PAIR_GEN</li> <li>CKM_SHA256_RSA_PKCS</li> <li>CKM_SHA512_RSA_PKCS</li> <li>CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)</li> <li>CKM_SHA256</li> <li>CKM_SHA512</li> </ul> <h2>Should implement</h2> <p>Target DNSSEC Algorithms:</p> <ul> <li>ECDSA/P-256/SHA-256 (RFC 6605)</li> <li>ECDSA/P-384/SHA-384 (RFC 6605)</li> </ul> <p>Algorithms:</p> <ul> <li>Hash: SHA-256</li> <li>Hash: SHA-384</li> <li>Sign: P-256</li> <li>Sign: P-384</li> </ul> <p>Required PKCS11 Mechs:</p> <ul> <li>CKM_EC_KEY_PAIR_GEN</li> <li>CKM_ECDSA_SHA256</li> <li>CKM_ECDSA_SHA384</li> <li>CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)</li> <li>CKM_SHA256</li> <li>CKM_SHA384</li> </ul> <h2>May implement</h2> <p>Target DNSSEC Algorithms:</p> <ul> <li>RSA/SHA-1 (RFC 3110)</li> <li>GOST (RFC 5933)</li> </ul> <p>Algorithms:</p> <ul> <li>Hash: SHA-1</li> <li> <p>Sign: RSA</p> </li> <li> <p>Hash: GOST R 34.11-94 (RFC5831)</p> </li> <li>Sign: GOST R 34.10-2001 (RFC5832)</li> </ul> <p>Required PKCS11 Mechs:</p> <ul> <li>CKM_RSA_PKCS_KEY_PAIR_GEN</li> <li>CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1)</li> <li>CKM_SHA1_RSA_PKCS</li> <li> <p>CKM_SHA_1</p> </li> <li> <p>CKM_GOSTR3410_KEY_PAIR_GEN</p> </li> <li>CKM_GOSTR3410_WITH_GOSTR3411</li> </ul>DNSSEC2016-12-15T22:43:00+00:002016-12-15T22:43:00+00:00Cryptech Core Teamtag:wiki.cryptech.is,2016-12-15:/DNSSEC<ul> <li><a href="https://wiki.cryptech.is/DNSSEC-Requirements">DNSSEC Requirements</a></li> </ul>DNSSEC signing using OpenDNSSEC and a Cryptech alpha board rev032016-12-15T22:43:00+00:002017-05-13T21:34:00+00:00Rob Austeintag:wiki.cryptech.is,2016-12-15:/OpenDNSSEC<h2>Before you start, you'll need</h2> <ul> <li>A Cryptech Alpha board, preferrably revision "rev03"</li> <li>APT on the host system configured to find packages in the Cryptech repository, see <a href="https://wiki.cryptech.is/BinaryPackages">BinaryPackages</a> for instructions</li> </ul> <div class="highlight"><pre><span></span><code>apt-get install cryptech-alpha opendnssec opensc </code></pre></div> <p>Once you have the software package installed, you may need to <a href="https://wiki.cryptech.is/Upgrading">upgrade your HSM's firmware</a>.</p> <h2>Configure …</h2><h2>Before you start, you'll need</h2> <ul> <li>A Cryptech Alpha board, preferrably revision "rev03"</li> <li>APT on the host system configured to find packages in the Cryptech repository, see <a href="https://wiki.cryptech.is/BinaryPackages">BinaryPackages</a> for instructions</li> </ul> <div class="highlight"><pre><span></span><code>apt-get install cryptech-alpha opendnssec opensc </code></pre></div> <p>Once you have the software package installed, you may need to <a href="https://wiki.cryptech.is/Upgrading">upgrade your HSM's firmware</a>.</p> <h2>Configure the HSM</h2> <p>For now, connect USB cables to both the DATA and MGMT ports of your HSM and plug them into the host where you will be running OpenDNSSEC. In production use it should not be necessary to leave the MGMT port connected, but it's easier to set up this way, and, as this is still a development platform, this is the configuration that's gotten the most testing.</p> <div class="highlight"><pre><span></span><code><span class="gh">#</span> eval $(cryptech_probe) <span class="gh">#</span> cryptech_muxd &amp; <span class="gh">#</span> cryptech_console Username: wheel Password: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding cryptech&gt; keystore set pin wheel supersikritnewpw cryptech&gt; keystore set pin so 123456 cryptech&gt; keystore set pin user 1234 cryptech&gt; masterkey set EFBEADDE ^C </code></pre></div> <p>Leave <code>cryptech_muxd</code> running, so that the PKCS #11 library can use it to talk to the HSM.</p> <h2>Configure OpenDNSSEC</h2> <div class="highlight"><pre><span></span><code><span class="n">mkdir</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">opendnssec</span><span class="o">/</span><span class="n">cryptech</span> <span class="n">cat</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">opendnssec</span><span class="o">/</span><span class="n">unsigned</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="n">EOF</span> \<span class="o">$</span><span class="n">TTL</span><span class="w"> </span><span class="mi">600</span> <span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="w"> </span><span class="n">IN</span><span class="w"> </span><span class="n">SOA</span><span class="w"> </span><span class="n">hidden</span><span class="o">-</span><span class="k">master</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="w"> </span><span class="n">hostmaster</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="w"> </span><span class="p">(</span> <span class="w"> </span><span class="mi">2016041401</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">serial</span> <span class="w"> </span><span class="mi">720</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">28800</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">refresh</span><span class="w"> </span><span class="p">(</span><span class="mi">8</span><span class="w"> </span><span class="n">hours</span><span class="p">)</span> <span class="w"> </span><span class="mi">720</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">7200</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">retry</span><span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="w"> </span><span class="n">hours</span><span class="p">)</span> <span class="w"> </span><span class="mi">300</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">604800</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">expire</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">week</span><span class="p">)</span> <span class="w"> </span><span class="mi">120</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">3600</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">minimum</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">hour</span><span class="p">)</span> <span class="w"> </span><span class="p">)</span> <span class="w"> </span><span class="n">NS</span><span class="w"> </span><span class="n">lab</span><span class="o">.</span><span class="n">cryptech</span><span class="o">.</span><span class="k">is</span><span class="o">.</span> <span class="n">test</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="n">EOF</span> <span class="n">chown</span><span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="w"> </span><span class="n">opendnssec</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">opendnssec</span><span class="o">/*</span> </code></pre></div> <h2>OpenDNSSEC configuration changes</h2> <p>/etc/opendnssec/conf.xml:</p> <div class="highlight"><pre><span></span><code><span class="nt">&lt;Repository</span><span class="w"> </span><span class="na">name=</span><span class="s">&quot;Cryptech&quot;</span><span class="nt">&gt;</span> <span class="w"> </span><span class="nt">&lt;Module&gt;</span>/usr/lib/libcryptech-pkcs11.so<span class="nt">&lt;/Module&gt;</span> <span class="w"> </span><span class="nt">&lt;TokenLabel&gt;</span>Cryptech<span class="w"> </span>Token<span class="nt">&lt;/TokenLabel&gt;</span> <span class="w"> </span><span class="nt">&lt;PIN&gt;</span>1234<span class="nt">&lt;/PIN&gt;</span> <span class="w"> </span><span class="nt">&lt;SkipPublicKey/&gt;</span> <span class="nt">&lt;/Repository&gt;</span> </code></pre></div> <p>The PIN is whatever was chosen as PIN for 'user' above. The TokenLabel has to be "Cryptech Token", not something you choose.</p> <p>/etc/opendnssec/kasp.xml:</p> <div class="highlight"><pre><span></span><code>s/SoftHSM/Cryptech/ </code></pre></div> <p>/etc/opendnssec/zonelist.xml:</p> <div class="highlight"><pre><span></span><code><span class="nt">&lt;Zone</span><span class="w"> </span><span class="na">name=</span><span class="s">&quot;example.com&quot;</span><span class="nt">&gt;</span> <span class="w"> </span><span class="nt">&lt;Policy&gt;</span>lab<span class="nt">&lt;/Policy&gt;</span> <span class="w"> </span><span class="nt">&lt;SignerConfiguration&gt;</span>/var/lib/opendnssec/signconf/example.com.xml<span class="nt">&lt;/SignerConfiguration&gt;</span> <span class="w"> </span><span class="nt">&lt;Adapters&gt;</span> <span class="w"> </span><span class="nt">&lt;Input&gt;</span> <span class="w"> </span><span class="nt">&lt;Adapter</span><span class="w"> </span><span class="na">type=</span><span class="s">&quot;File&quot;</span><span class="nt">&gt;</span>/var/lib/opendnssec/unsigned/example.com<span class="nt">&lt;/Adapter&gt;</span> <span class="w"> </span><span class="nt">&lt;/Input&gt;</span> <span class="w"> </span><span class="nt">&lt;Output&gt;</span> <span class="w"> </span><span class="nt">&lt;Adapter</span><span class="w"> </span><span class="na">type=</span><span class="s">&quot;File&quot;</span><span class="nt">&gt;</span>/var/lib/opendnssec/signed/example.com<span class="nt">&lt;/Adapter&gt;</span> <span class="w"> </span><span class="nt">&lt;/Output&gt;</span> <span class="w"> </span><span class="nt">&lt;/Adapters&gt;</span> <span class="nt">&lt;/Zone&gt;</span> </code></pre></div> <h2>Initialization and signing</h2> <p>Make the deamons reload their configuration:</p> <div class="highlight"><pre><span></span><code> service opendnssec-enforcer restart service opendnssec-signer restart </code></pre></div> <p>Initialize opendnssec:</p> <div class="highlight"><pre><span></span><code> ods-ksmutil setup </code></pre></div> <p>That should be it!</p> <p>See /var/log/syslog for output from ods-kaspcheck, ods-enforcerd and ods-signerd. See /var/lib/opendnssec/signed/ for a signed example.com zone.</p> <p>To list keys using ods-ksmutil, accessing the HSM using pkcs11 directly (rather than going through any of the opendnssec daemons), export the environment variables from /etc/default/opendnssec and run "ods-ksmutil keys list --verbose":</p> <div class="highlight"><pre><span></span><code><span class="c1"># ods-ksmutil keys list --verbose</span> <span class="n">SQLite</span><span class="w"> </span><span class="n">database</span><span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">to</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">opendnssec</span><span class="o">/</span><span class="n">kasp</span><span class="o">.</span><span class="n">db</span> <span class="n">Keys</span><span class="p">:</span> <span class="n">Zone</span><span class="p">:</span><span class="w"> </span><span class="n">Keytype</span><span class="p">:</span><span class="w"> </span><span class="n">State</span><span class="p">:</span><span class="w"> </span><span class="n">Date</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">next</span><span class="w"> </span><span class="n">transition</span><span class="w"> </span><span class="p">(</span><span class="n">to</span><span class="p">):</span><span class="w"> </span><span class="n">Size</span><span class="p">:</span><span class="w"> </span><span class="n">Algorithm</span><span class="p">:</span><span class="w"> </span><span class="n">CKA_ID</span><span class="p">:</span><span class="w"> </span><span class="n">Repository</span><span class="p">:</span><span class="w"> </span><span class="n">Keytag</span><span class="p">:</span> <span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="w"> </span><span class="n">KSK</span><span class="w"> </span><span class="n">ready</span><span class="w"> </span><span class="n">waiting</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">ds</span><span class="o">-</span><span class="n">seen</span><span class="w"> </span><span class="p">(</span><span class="n">active</span><span class="p">)</span><span class="w"> </span><span class="mi">2048</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="mi">7</span><span class="n">f9b9329480ebe5dc81054ccb293e261</span><span class="w"> </span><span class="n">Cryptech</span><span class="w"> </span><span class="mi">62642</span> <span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="w"> </span><span class="n">ZSK</span><span class="w"> </span><span class="n">active</span><span class="w"> </span><span class="mi">2016</span><span class="o">-</span><span class="mi">07</span><span class="o">-</span><span class="mi">13</span><span class="w"> </span><span class="mi">19</span><span class="p">:</span><span class="mi">04</span><span class="p">:</span><span class="mi">30</span><span class="w"> </span><span class="p">(</span><span class="n">retire</span><span class="p">)</span><span class="w"> </span><span class="mi">1024</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="mf">97e972633613</span><span class="n">bd605944a0531ff5399b</span><span class="w"> </span><span class="n">Cryptech</span><span class="w"> </span><span class="mi">56620</span> </code></pre></div> <p>If the output for repository is "Cryptech NOT IN repository", ods-ksmutil has not been able to actually list the keys in the HSM.</p>