1 / 18

OpenDNSSEC Deployment

OpenDNSSEC Deployment. Tianyi Xing. Roadmap . By mid-term Establish a DNSSEC server within the mobicloud system ( Hopfully be done by next week) Successfully installed at configuration stage

zaina
Download Presentation

OpenDNSSEC Deployment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenDNSSEC Deployment Tianyi Xing

  2. Roadmap • By mid-term • Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) • Successfully installed • at configuration stage • Configure the network to make sure DNSSEC server serve the right purpose in the mobicloud system (within 3 days) • By Final • Perfect its function • Dynamically cooperate with the user ID and IP address • Dynamically update the ip(ID) and domain pair • Documentation

  3. OpenDNSSEC Working Flow • OpenDNSSEC is a complete DNSSEC solution • Completely automates the process of keeping track of keys and the signing of zones.

  4. Components (contd.) • HSM • the key storage component (Usually in Hardware) • Performs cryptographic operations • Private keys will never appear outside the HSM • It can perform 1-14,000 signature per second • SoftHSM • SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface. • Uses Botan for its cryptographic operations and SQLiteto store its key material.

  5. Components (contd.) • KASP • Decides when zones are resigned • Decides when keys are rolled • Decides which keys are used • Signer Engine • Sort Rrsets • Sign RRSets • Keeps the RRSIGs up to day

  6. Components • Enforcer • Deal with key rollover and key generation • Conf.xml <Enforcer> </Enforcer> • Signer • Construct signature records to include in to the zone file • Conf.xml <Signer></Signer>

  7. Components • Auditor • Check a signed zone against the policy and the unsigned zone • Conf.xml <auditor></auditor>

  8. OpenDNSSEC installation • Hardware • Dell Server • Software • Xenserver • Ubuntu 10.10

  9. Compile the OpenDNSSEC • Dependency • libxml2-dev • libldns-dev • Version must be later than 1.6.7 • Install the ldns 1.6.8 • Needs OpenSSl 1.0 • sqLite3 • libsqlite3-dev • rubygems • dnsruby

  10. Configuration • Conf.xml • Overall configuration of the system • Kasp.xml • Define the Policy of signing • Zonelint.xml • List all the zones that you are going to sign • Zonefetch.xml (optional) • Zone transfers

  11. Conf.xml • /etc/opendnssec/conf.xml • Overall configuration of OpenDNSSEC • Logging facilities (syslog only so far) • System paths • Key repositories • Privileges • Database (all key and zone info is stored)

  12. Kasp.xml • /etc/opendnssec/kasp.xml • Information included • security parameters used for signing zones • timing parameters used for signing zones

  13. Zonelist.xml • /etc/opendnssec/kasp.xml • The zonelist.xml file is used when first setting up the system, but also used by theods-signerd when signing zones • Information • the zone’s DNS name • the policy from kasp.xml used to sign the zone • how to obtain the zone • how to publish the zone

  14. Zonefetch.xml • Configuration about signing zones received from transfer (AXFR). • Information included • where to fetch zone data from • protection mechanisms to be used

  15. SoftHSM installation • Dependency • Botan 1.8.5 later version • Don’t use yum, apt-get or any auto online installation. • Do download from here and install the botan http://botan.randombit.net/download.html

  16. SoftHSM configuration • Add the tokens to the slots: /etc/softhsm.conf • The token databases does not exist at this stage. The given paths are just an indication to SoftHSM on where it should store the information for each token. Each token are now treated as uninitialized. • Initialize your tokens • Softhsm tool or PKCS#11 interface • Link to this library and use the PKCS#11 interface

  17. Error during Start • ods-ksmutil setup • ods-control start • enforcer start fail • Signer start fail

  18. Next Step work • Make the signer and enforcer successfully run • Cooperate with the DHCP Server to automatically add the zone and sign the zone with specific policy and key.

More Related