Knot DNS¶
Knot DNS is an open source authoritative DNS server that can be used for DNSSEC. To use KnotDNS with the NetHSM please install and configure the PKCS#11 module as described here.
Manual Mode¶
In manual mode the keys have to be generated and managed manually.
Only the Operator user is needed in the PKCS#11 module configuration file. The password can be specified using the pin-value
in the PKCS#11 URI in knot.conf.
Add the following lines to the KnotDNS configuration file /etc/knot/knot.conf
:
keystore:
- id: nethsm_keystore
backend: pkcs11
config: "pkcs11:token=localnethsm /usr/local/lib/libnethsm_pkcs11.so"
policy:
- id: manual_policy
keystore: nethsm_keystore
manual: on
zone:
- domain: example.com
storage: "/var/lib/knot"
file: "example.com.zone"
dnssec-signing: on
dnssec-policy: manual_policy
The token
value in the PKCS#11 URI is the label
from the p11nethsm.conf
. Adjust the path to the
libnethsm_pkcs11.so
as needed.
To generate the keys run the following commands:
nitropy nethsm \
--host "localhost:8443" --no-verify-tls \
--username "admin" \
generate-key \
--type "EC_P256" --mechanism "ECDSA_Signature" --length "256" --key-id "myKSK"
# knot's keymgr expects the binary key id in hex format
# myKSK in ascii-binary is 0x6d794b534b, e.g. echo -n "myKSK" | xxd -ps
keymgr "example.com" import-pkcs11 "6d794b534b" "algorithm=ECDSAP256SHA256" "ksk=yes"
nitropy nethsm \
--host "localhost:8443" --no-verify-tls \
--username "admin" \
generate-key \
--type "EC_P256" --mechanism "ECDSA_Signature" --length "256" --key-id "myZSK"
# myZSK in ascii-binary is 0x6d795a534b
keymgr "example.com" import-pkcs11 "6d795a534b" "algorithm=ECDSAP256SHA256"
Automatic Mode¶
In automatic mode the keys are generated by Knot DNS and stored in the NetHSM.
An Administrator and an Operator user are needed in the PKCS#11 module configuration.
Add the following lines to the Knot DNS configuration file /etc/knot/knot.conf
:
keystore:
- id: nethsm_keystore
backend: pkcs11
config: "pkcs11:token=localnethsm /usr/local/lib/libnethsm_pkcs11.so"
#key-label: on
policy:
- id: auto_policy
keystore: nethsm_keystore
ksk-lifetime: 5m
zsk-lifetime: 2m
dnskey-ttl: 10s
zone-max-ttl: 15s
propagation-delay: 2s
zone:
- domain: example.com
storage: "/var/lib/knot"
file: "example.com.zone"
dnssec-signing: on
dnssec-policy: auto_policy
Setting key-label
to on
doesn’t change anything and the pkcs11 module ignores the given label and
always returns the hexadecimal key id as label. The policy uses very short key lifetimes and TTL’s
for testing purposes.