$Id: README 3150 2010-04-08 11:36:13Z jakob $

The signer engine and its tools are part of the OpenDNSSEC project.
For more information, visit http://www.opendnssec.org

CONTENTS:
    INTRODUCTION
    DEPENDENCIES
    INSTALLATION
    INTERACTION FROM THE COMMAND LINE
    RUNNING WITHOUT THE KASP


-------------------------------------------------------------------
INTRODUCTION
-------------------------------------------------------------------

As part of the OpenDNSSEC project, the task of the signer engine is to
schedule signing operation on DNS zones. Taking input from the KASP, it
will automatically sign zones and keep their signatures up-to-date.

In this version, it can do file-to-file signing or AXFR-to-file signing.
When a zone has changed, the engine can run a specified command, for
instance to signal an actual DNS server that it should reload its zones.

The current signer engine consists of three parts; The actual scheduler,
a set of tools to do zone manipulation and a zone fetcher that takes care
of AXFR.

The scheduler is written in Python and is run as a daemon. When a zone
needs to be sorted or (re)signed, it will call the necessary tools,
which are written in C, to do the actual work. It uses a
worker/task-queue design, where the worker threads will suspend
until there is something to do. 

The zone fetcher is started by the scheduler if a zone fetch configuration
is configured. The zone fetcher will do AXFR requests for all zones upon
startup and upon receiving a valid NOTIFY message. 

-------------------------------------------------------------------
DEPENDENCIES
-------------------------------------------------------------------

The C-based tools depend on the ldns library
http://www.NLnetLabs.nl/projects/ldns
and can only be used in conjuction with a PKCS#11 library (a software
version of which, softHSM, is supplied with the OpenDNSSEC).

The python part of the engine depends on the 4suite implementation of
xml (the package name for Ubuntu is python-4suite-xml).


-------------------------------------------------------------------
INSTALLATION
-------------------------------------------------------------------

To build and install the signer engine, the following steps are needed:

From the base directory <opendnssec>/signer

autoreconf --install
./configure
make
make install

This will build the C-based tools, and set up the tools and engine to
use the options provided with configure:

--with-ldns=<dir> The base directory (prefix) of your ldns installation,
                  if it isn't in your standard path.
--prefix=<dir>    Installation directory. All files will be installed
                  relative to this path, and default search paths will
                  be relative to the prefix. Defaults to /usr/local

The tools, and the main engine invocation script, will be installed in
<prefix>/bin
The python libraries will be installed in
<prefix>/lib/python/signer_engine/

-------------------------------------------------------------------
INTERACTION FROM THE COMMAND LINE
-------------------------------------------------------------------

If the engine is running (see the next section on how to run
one manually), you can interact with it using the tool ods-signer.

If you give no arguments, it will connect to the engine and go to
interactive mode. Only the start command cannot be called in
interactive mode. The command 'help' shows a list of possible
commands:
$ ods-signer
cmd> help
 Commands:
zones           show the currently known zones
sign <zone>     schedule zone for immediate signing
queue           show the current task queue
flush           execute all scheduled tasks immediately
update          re-read the zonelist xml file
                and check for changed zoneconf.xml files
stop            stop the engine
start           start the engine (only when signer is not running)
verbosity <nr>  set verbosity (notimpl)

cmd> quit

You can also use these commands directly from your shell, by giving
them as arguments to ods-signer. If you do this, the cli will
execute the command and quit.

-------------------------------------------------------------------
RUNNING WITHOUT THE KASP
-------------------------------------------------------------------

If you want to test the engine on its own, or run it without using
the KASP module, you will need to perform the following steps.

Of course it has to be installed using the steps from section
INSTALLATION.

HSM
---
You will need to set up an HSM module. If you use SoftHSM, you will
need to make sure that a token is initialized, and that the correct
softhsm.conf file is set in the environment variable $SOFTHSM_CONF.

Some keys should be present in the token. If not, you can generate
them with the hsm-toolkit from OpenDNSSEC.


conf.xml
--------

You will need to either create or update the
<prefix>/etc/opendnssec/conf.xml file to your
settings; the <Repository> element should contain the name of the
token you have initialized in your HSM, the complete path of the
module library (e.g. <prefix>/lib/libsofthsm.so). Optionally you
can use a PIN value here too. If you do not specify it, the engine
will prompt for it.

If you run a nameserver, you will need to create a little script
that tells that server to reload its zones, and point to that
script with the element <NotifyCommand> below <Signer>.

The rest of the values can be left to their defaults.

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/conf.rnc

zonelist.xml
------------

You can tell the engine what zones to sign with
<prefix>/etc/zonelist.xml
An example zone list file can be found at
http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonelist.xml

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonelist.rnc

This file will specify the specific zone configuration, and its
in- and output-files.


zonefetch.xml
------------

You can tell the engine where and how to get the zones from the master
servers with
<prefix>/etc/zonefetch.xml
An example zone list file can be found at
http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonefetch.xml

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonefetch.rnc

This file will specify the interface to listen NOTIFY messages on, 
the master servers that are allowed to send NOTIFY messages and to
contact for zone transfers and optionally, the TSIG credentials.


zone configuration
------------------

At the location pointed to in your zonelist.xml, you should create
a signer configuration xml file. An example can be found at:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/signconf.xml

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/signconf.rnc


zone file
---------

Finally, you will need to give the engine an actual zone file to
work on. You will have already specified the location of this file
in the zonelist.xml file above.


running the engine
------------------

You can run the engine by calling <prefix>/sbin/ods-signer start

If everything is ok, you should see the following output:
$ ./ods-signer start
Python engine proof of concept, v 0.0002 alpha
Zone list updated: 0 removed, 1 added, 0 updated
output redirected to syslog
$

The engine has daemonized itself and should be running. You can
check that it does by using ods-signer as specified in the
section INTERACTION FROM THE COMMAND LINE.
