dns-sec and Maintaining Human Sanity

Atkins, Brian (GD/VA-NSOC) Brian.Atkins2 at va.gov
Fri Aug 6 11:29:50 UTC 2010 

I'm running 9.6 in our lab environment with DNSSEC enabled, not much
difficulty at all. To make it even easier, you might want to look at the
Webmin BIND module. It makes it even easier.

<shameless plug>Also, I went to ISC's BIND deployment workshop and found
it very insightful. </shameless plug>

Brian

-----Original Message-----
From: bind-users-bounces+brian.atkins2=va.gov at lists.isc.org
[mailto:bind-users-bounces+brian.atkins2=va.gov at lists.isc.org] On Behalf
Of Martin McCormick
Sent: Friday, August 06, 2010 7:24 AM
To: bind-users at isc.org
Subject: dns-sec and Maintaining Human Sanity


	I have started looking at various ways for our
organization to begin using dns-sec as this appears to be a high
management priority and it will eventually become necessary to
operate. We have a fairly simple structure with a official master and
slave with dynamic DHCP continuously updating the zone.

	The one thing that impresses me about dns-sec is that it
appears to be one of those things that will probably work fine
after installation but getting there may be an adventure to put
it mildly. There is an application called opendns-sec that
appears to automate much of the key generation and rollover
logic and lets you use basically an unpublished master to handle
your zone with opendns-sec being the machine that takes your
zone from the master, signs it and is the public master as far
as the world is concerned. That is, if one can get the latest
version to compile under FreeBSD8.0. So far, the configure
process is one dependency after another and I have yet to see it
actually finish so that is shades of years gone by when
installing software was an art on good days.

	Opendns-sec makes sense except that you need at least one more
real or virtual box to do DNS and that is an issue on small
campuses. Is there any sense of the group as to how best to make
this problem become an automated non-issue?

	Here, we only allow trusted individuals and our DHCP
servers to have the tsig keys which update our zones so it may
make more sense to modify our main configuration but that is why
I am asking questions.

	Half of me understands why this is necessary and the
other half just wants to automate, set and forget.

	We are upgrading all DNS and DHCP servers to FreeBSD8.0
and my plan was to use bind9.6x. If there is a better version for
dns-sec, best to plan to use it now in order to sleigh as much
of this dragon which is breathing fire on the edge of town and
threatens to move in soon.

	The only thing set in stone right now is that we need to
get on the dns-sec band wagon. I am just trying to install steps
that don't break our legs as we climb up.

Many thanks.

Martin McCormick
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list