Knot DNS#

Knot DNS is an open source authoritative DNS server that can be used for DNSSEC. To use KnotDNS with the NetHSM please install and configure the PKCS#11 module as described here.

Manual Mode#

In manual mode the keys have to be generated and managed manually.

Only the Operator user is needed in the PKCS#11 module configuration file. The password can be specified using the pin-value in the PKCS#11 URI in knot.conf.

Add the following lines to the KnotDNS configuration file /etc/knot/knot.conf:

keystore:
  - id: nethsm_keystore
    backend: pkcs11
    config: "pkcs11:token=localnethsm /usr/local/lib/libnethsm_pkcs11.so"

policy:
  - id: manual_policy
    keystore: nethsm_keystore
    manual: on

zone:
  - domain: example.com
    storage: "/var/lib/knot"
    file: "example.com.zone"
    dnssec-signing: on
    dnssec-policy: manual_policy

The token value in the PKCS#11 URI is the label from the p11nethsm.conf. Adjust the path to the libnethsm_pkcs11.so as needed.

To generate the keys run the following commands:

nitropy nethsm \
  --host "localhost:8443" --no-verify-tls \
  --username "admin" \
  generate-key \
    --type "EC_P256" --mechanism "ECDSA_Signature" --length "256" --key-id "myKSK"
# knot's keymgr expects the binary key id in hex format
# myKSK in ascii-binary is 0x6d794b534b, e.g. echo -n "myKSK" | xxd -ps
keymgr "example.com" import-pkcs11 "6d794b534b" "algorithm=ECDSAP256SHA256" "ksk=yes"

nitropy nethsm \
  --host "localhost:8443" --no-verify-tls \
  --username "admin" \
  generate-key \
    --type "EC_P256" --mechanism "ECDSA_Signature" --length "256" --key-id "myZSK"
# myZSK in ascii-binary is 0x6d795a534b
keymgr "example.com" import-pkcs11 "6d795a534b" "algorithm=ECDSAP256SHA256"

Automatic Mode#

In automatic mode the keys are generated by Knot DNS and stored in the NetHSM.

An Administrator and an Operator user are needed in the PKCS#11 module configuration.

Add the following lines to the Knot DNS configuration file /etc/knot/knot.conf:

keystore:
  - id: nethsm_keystore
    backend: pkcs11
    config: "pkcs11:token=localnethsm /usr/local/lib/libnethsm_pkcs11.so"
    #key-label: on

policy:
  - id: auto_policy
    keystore: nethsm_keystore
    ksk-lifetime: 5m
    zsk-lifetime: 2m
    dnskey-ttl: 10s
    zone-max-ttl: 15s
    propagation-delay: 2s

zone:
  - domain: example.com
    storage: "/var/lib/knot"
    file: "example.com.zone"
    dnssec-signing: on
    dnssec-policy: auto_policy

Setting key-label to on doesn’t change anything and the pkcs11 module ignores the given label and always returns the hexadecimal key id as label. The policy uses very short key lifetimes and TTL’s for testing purposes.