Configuring KNOT for Utimaco HSM | Utimaco Integration Guides

Copy and use the sample zone file from the path below.

›_ Console
`# cp /usr/share/doc/knot/samples/example.com.zone /var/lib/knot/`

The default knotd logs are saved in syslog. If you want to store the knotd logs as a separate file, you need to manually create the file with the appropriate permission and specify its location in the /etc/knot/knot.conf file in the log section.

chmod 777 /tmp/cs_pkcs11_R3.log

Open knot.conf file and make the following changes for Utimaco:

›_ Console
`# This is a sample of a minimal configuration file for Knot DNS.` `# See knot.conf(5) or refer to the server documentation.` `server:` `rundir: "/run/knot"` `user: knot:knot` `automatic-acl: on` `background-workers: 2` `# listen: [ 127.0.0.1@53, ::1@53 ]` `log:` `- target: /var/log/knotd.log` `any: debug` `control: debug` `zone: debug` `server: debug` `database:` `storage: "/var/lib/knot"` `remote:` `# - id: secondary` `# address: 192.168.1.1@53` `#` `# - id: primary` `# address: 192.168.2.1@53` `template:` `- id: default` `storage: "/var/lib/knot"` `file: "%s.zone"` `keystore:` `- id: UtimacoHSM` `backend: pkcs11` `config: "pkcs11:slot-id=0;pin-value=123456 /usr/local/lib/libcs_pkcs11_R3.so"` `policy:` `- id: MyRSAPolicy` `algorithm: RSASHA256` `ksk-size: 2048` `zsk-size: 2048` `ksk-lifetime: 1h` `zsk-lifetime: 10m` `propagation-delay: 5s` `dnskey-ttl : 30s` `#zone-max-ttl : 30s` `keystore: UtimacoHSM` `zone:` `# # Primary zone` `# - domain: example.com` `# notify: secondary` `# # Secondary zone` `# - domain: example.net` `# master: primary` `- domain:example.com` `storage: /var/lib/knot` `file: example.com.zone` `dnssec-signing: on` `dnssec-policy: MyRSAPolicy`

›_ Console

# This is a sample of a minimal configuration file for Knot DNS.
# See knot.conf(5) or refer to the server documentation.

server:
rundir: "/run/knot"
user: knot:knot
automatic-acl: on

background-workers: 2
# listen: [ 127.0.0.1@53, ::1@53 ]

log:
- target: /var/log/knotd.log
any: debug
control: debug
zone: debug
server: debug

database:
storage: "/var/lib/knot"

remote:
# - id: secondary
# address: 192.168.1.1@53
#
# - id: primary
# address: 192.168.2.1@53

template:
- id: default
storage: "/var/lib/knot"
file: "%s.zone"

keystore:
- id: UtimacoHSM
backend: pkcs11
config: "pkcs11:slot-id=0;pin-value=123456 /usr/local/lib/libcs_pkcs11_R3.so"

policy:
- id: MyRSAPolicy
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
ksk-lifetime: 1h
zsk-lifetime: 10m
propagation-delay: 5s
dnskey-ttl : 30s
#zone-max-ttl : 30s
keystore: UtimacoHSM

zone:
# # Primary zone
# - domain: example.com
# notify: secondary

# # Secondary zone
# - domain: example.net
# master: primary

- domain:example.com
storage: /var/lib/knot
file: example.com.zone
dnssec-signing: on
dnssec-policy: MyRSAPolicy

After you changed the knot.conf file start the knot service using the commands below:

›_ Console
`Systemctl daemon reload` `Systemctl start knot`

›_ Console

Systemctl daemon reload

Systemctl start knot

Or if you are using source code:

›_ Console
`Knot -c <path to knot configuration file>/knot.conf`