OpenDNSSEC

OpenDNSSEC is a tool suite for managing the security of domain names. It can directly load a PKCS#11 module and manage the keys.

To install and setup OpenDNSSEC, you can follow the OpenDNSSEC Quick Start Guide. You don’t need to install SoftHSM, the NetHSM PKCS#11 module will be used instead.

As OpenDNSSEC needs access to manage the keys and then use them, you will need to configure both administrator and operator account in the PKCS#11 module configuration file.

You can configure OpenDNSSEC to load the libnethsm_pkcs11.so module by editing the /etc/opendnssec/conf.xml file. You will need to add the following lines:

<?xml version="1.0" encoding="UTF-8"?>

<Configuration>

...

    <RepositoryList>
          <Repository name="NetHSM">
                  <Module>/root/libnethsm_pkcs11.so</Module>
                  <PIN>opPassphrase</PIN>
                  <TokenLabel>LocalHSM</TokenLabel>
          </Repository>
    ...

    </RepositoryList>

...

</Configuration>

Replace /root/libnethsm_pkcs11.so with the path to the libnethsm_pkcs11.so module. You need to match the <TokenLabel> with the label you set in the p11nethsm.conf configuration file. The <PIN> is the operator PIN, you can either set it in plain text in the conf.xml file or use ods-hsmutil login. OpenDNSSEC need to have a pin provided or it will refuse to start.

You also need to update the <Repository> fields in /etc/opendnssec/kasp.xml to NetHSM instead of the default SoftHSM :

<KASP>
      <Policy name="...">

            ...

            <Keys>

                  ...

                  <KSK>
                          ...
                          <Repository>NetHSM</Repository>
                  </KSK>
                  <ZSK>
                          ...
                          <Repository>NetHSM</Repository>
                  </ZSK>
          </Keys>

          ...

      </Policy>

      ...

</KASP>