Hello, I think I am close to getting them working but when I do +dnssec queries, I still get nothing. After these steps, I'm getting the following errors:
Mar 8 15:05:18 ubuntu ods-auditor[13338]: example.com : SOA differs : from 2012030506 to 2012030800 ---- I have datecounter as my serial.... if I change this to 2012030800 or whatever the current date is, will this synch up? rndc: could not load rndc configuration rndc: error: none:0: open: /etc/bind/rndc.key: permission denied ---- this periodically spams my screen... what is going on with these errors? what permissions does this .key file need...? I kind of followed the guide/instructions located as part of the DNSSEC workshop...specifically this file: https://nsrc.org/workshops/2011/dakar-dnssec/raw-attachment/wiki/Agenda/opendnssec-howoto.txt STEPS TAKEN TO SETUP OPENDNSSEC: At this point zone in /unsigned gets signed and move to /tmp and /signconf files are also generated. The zone is signed in /signed but still unable to fill +dnssec queries. Add ppa repository sudo add-apt-repository ppa:pkg-opendnssec/ppa sudo apt-get update Ubuntu Software center: Sudo apt-get install libldns1 Sudo apt-get install rubygems Sudo apt-get install dnsruby Sudo apt-get install ruby-dev Sudo apt-get install libopenssl-ruby Sudo apt-get install sqlite3 Sudo apt-get install Libsqlite3-dev Sudo apt-get install opendnssec ------------------------------------------------- SoftHSM is a implementation of a cryptographic store accessible through PKCS#11 Basically it virtualizes having a ‘smart card’ in order to save on time/money and allows you to use this virtualized smart card to sign zones. So we install and then initialize a token. Sudo apt-get install libbotan-1.10-0 Sudo apt-get install softhsm Sudo chmod –R 755 /etc/softhsm Sudo chmod –R 755 /var/lib/softhsm softhsm --init-token --slot 0 --label OpenDNSSEC Pw=1234, pw=1234 ------------------------------------------------- Sudo chmod –R 755 opendnssec Sudo nano /etc/opendnssec/kasp.xml Comment out <NSEC3>---through---</NSEC3> Add <NSEC></NSEC> below it Go down to <zone> section, change unixtime datecounter NOTE: had issues with the serial/time several times, not sure if I ever got this fixed but this was the solution told Sudo nano /etc/opendnssec/conf.xml Remove comments surrounding the first respository - softHSM NOTE: tokenlabel value must match what was previously used when initializing the token (Ex: OpenDNSSEC) ------------------------------------------------- Ods-ksmutil setup Y at the warning Sudo nano /etc/bind/named.conf.local In zone example.com add: Allow-transfer { 127.0.0.1;}; Sudo rndc reconfig Sudo chmod 755 /var/lib/opendnssec Copy your unsigned zone file into the unsigned folder EX: “Sudo cp /etc/bind/zones/example.com /var/lib/opendnssec/unsigned” NOTE: This zone file should not contain any BIND DNSSEC info…keys…etc sudo ods-ksmutil zone add --zone example.com ------------------------------------------------- Sudo nano /etc/opendnssec/conf.xml Remove comment lines surrounding: “<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>” Remove comment lines surrounding: <Privileges> <User>opendnssec</User> <Group>opendnssec</Group> </Privileges> Cd /etc Sudo chown –R opendnssec:opendnssec opendnssec Cd /var/lib Sudo chown –R opendnssec:opendnssec opendnssec cd /etc Sudo chmod –R 777 softhsm ------------------------------------------------- Sudo adduser opendnssec softhsm Sudo chown -R opendnssec /var/lib/softhsm/ Sudo nano /etc/bind/named.conf.options Add “dnssec-enable yes;” in the options Restart bind Sudo ods-ksmutil setup Sudo ods-control start Sudo ods-sign sign example.com NOTE: At this point zone in /unsigned gets signed and move to /tmp and /signconf files are also generated. The zone is signed in /signed but still unable to fill +dnssec queries.
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
