dns-sec and Maintaining Human Sanity

Tony Finch dot at dotat.at
Fri Aug 6 22:36:27 UTC 2010 

On Fri, 6 Aug 2010, Martin McCormick wrote:

> 	I have started looking at various ways for our
> organization to begin using dns-sec as this appears to be a high
> management priority and it will eventually become necessary to
> operate. We have a fairly simple structure with a official master and
> slave with dynamic DHCP continuously updating the zone.

Phil Mayers is right. Use BIND 9.7's built-in automated signing and follow
Phil's suggested setup. BIND's DNSSEC support is designed to work well
with a zone that is maintained using dynamic updates. Switching from
static files to dynamic updates is one of the keys to working well with
BIND and DNSSEC. You have already done that so you should feel happy :-)

OpenDNSSEC predates BIND's auto-signing functionality, so it has become
partly obsolete - but not completely. (As far as I can tell from a couple
of looks at its documentation, it does not do large and/or dynamic zones
very well. It seems to be designed to cope with spreading the CPU load of
signing a very large number of mostly static zones using PKCS#11 crypto
hardware.) It also does key management, and BIND does not yet do that for
you. All you need to add is a cron job to run dnssec-keygen every so often
with the right options.

Sadly key management and rollover is still one of the most difficult areas
of DNSSEC because there are so many interacting variables to get to grips
with and the documentation is poor. For BIND the key things you need to
know about are the sig-validity-interval option which controls the
lifetime of RRSIG records, and dnssec-settime which sets the lifetime
parameters of a DNSKEY.
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing and
http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis explain how the
parameters interact but are a bit intimidating. I don't know of any
tutorials or documents that cut down the parameter space to something
managable without sweeping the whole lot under the carpet.

You also need to know that there is a lot of obsolete cruft in the
dnssec-keygen manual page related to discarded bits of pre-4035 DNSSEC and
the only non-trivial options you need to understand are -a -b -3 -e -f.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
WIGHT PORTLAND PLYMOUTH NORTH BISCAY: SOUTHWESTERLY VEERING WESTERLY OR
NORTHWESTERLY, 4 OR 5, OCCASIONALLY 6 AT FIRST. MODERATE, OCCASIONALLY ROUGH
IN PLYMOUTH AND NORTH BISCAY. RAIN OR SHOWERS, FAIR LATER. MODERATE OR GOOD,
OCCASIONALLY POOR.

More information about the bind-users mailing list