Before you start to use OpenDNSSEC in your production environment you must first decide which hardware you going to run on.
When you have a good system to run on, then it is time to install the software that OpenDNSSEC depends on, and finally installing OpenDNSSEC.
Hardware set-up
Here are some short recommendations if you are planning to use OpenDNSSEC with many zones or a single large zone, and where the speed of signing is important.
CPU: OpenDNSSEC is multi-threaded when it concerns the handling of multiple zones and is also multi-threaded when it comes to handling refreshing the signatures of RRsets.
Hardisk: The OpenDNSSEC signer engine makes backup files to recover your zone data with no loss. A backup file will use up one time the size of the signed zone on the HDD. If you use an inbound DNS adapter, the XFR is also stored on disk. If you use an outbound DNS adapter, a journal file is required. OpenDNSSEC will maintain three outbound changes on disk.
- Memory: The zones are also stored in memory. The amount of memory is quite excessive, due to the use of ldns.
OpenDNSSEC 1.4 has been tested on the following platforms:
- Debian 6.0.3 amd64
- Ubuntu Server 10.04.3 amd64
- Ubuntu Server 10.04.3 i386
- Ubuntu Server 12.04.01 amd64
- Red Hat Enterprise Linux 6.2 amd64
- CentOS 6.2 i386
- Scientific Linux 6.1 amd64
- OpenSUSE 12.1 amd64
- OpenSUSE 12.1 i386
- Solaris 11 11/11
- FreeBSD 9 amd64
- FreeBSD 9 i386
- OpenBSD 5.0 amd64
- NetBSD 5.1 amd64
- SUSE Linux Enterprise Server SP2 amd64
Database
MySQL is recommended as the primary database backend for use with OpenDNSSEC in production environments. SQLite is supported but it is recommended that this is used only for testing. There are two reasons for this. Firstly SQLite does not scale well as the number of zones requiring signing grows. Secondly the current implementation of SQLite in OpenDNSSEC can be open to locking issues in certain circumstances.
Dependencies
OpenDNSSEC depends on a number of open-source packages, all of which must be installed on your system for OpenDNSSEC to build successfully.
The installation of dependencies guide shows which packages are required and how to download/install them.
Choose from any vendor that uses the PKCS#11 interface. Or the software-only implementation of an HSM called SoftHSM created by the OpenDNSSEC project. Follow these instructions on how to install SoftHSM.
Pre-built Binaries
You can find information about packages for your operating system here: http://www.opendnssec.org/download/packages/
Obtaining the Source Code
The latest version of OpenDNSSEC can be found as a tarball on http://www.opendnssec.org
The development (unstable) version of OpenDNSSEC is available from the GitHyb repository and can be obtained using the following command:
git clone https://github.com/opendnssec/OpenDNSSEC.git
Building & Installing
If you downloaded the tarball then first untar it:
tar -xzf opendnssec-<VERSION>.tar.gz
cd OpenDNSSEC
or if you are working from the repository:
cd OpenDNSSEC
sh autogen.sh
Then it is time to configure the build scripts:
You may also need some other options to configure.
--enable-timeshift For debugging purposes
--with-database-backend Select database backend (sqlite3|mysql) (default sqlite)
Use the following command to find out which other options that are available:
The configure script defaults to --prefix=/usr/local, --sysconfdir=/etc, and --localstatedir=/var
Once configured, build OpenDNSSEC using:
... and install using ...
Post-installation
Depending on operating system, there may be a few additional steps required after installation.
Linux Users Linux users need to rebuild the dynamic linker caches. To do this, issue the command:
sudo ldconfig [library-path [library-path ...]]
If OpenDNSSEC or any of the pre-requisites were installed in non-standard directories, the list of library paths should be specified as arguments on the command line.