Almost Ready for DNS-SEC but Slightly Confused in Home Stretch

Martin McCormick martin at
Fri Dec 10 16:17:57 UTC 2010

On my test box, I am not seeing any errors so I think we are
signing the test zone. The dnssec part of named.conf options
looks like:

dnssec-enable yes;
dnssec-validation yes;
           dnssec-lookaside auto;
managed-keys-directory "/etc/namedb/working";

	In the actual zone, I have:

zone "" {
	type master;
file "/etc/namedb/dynamic/";
   key-directory "/etc/namedb/dynamic/";
   auto-dnssec maintain;
            allow-update {
#list of other DNS's that are not official slaves
include "/etc/zoneconfigs/scnotify";
	notify yes;
        allow-query { any; };

I see not one complaint but I know that only takes care of our
zone signing.

	I did a dig on that box and looked up a host which
worked but the results were identical to what one would have
seen before any DNSSEC directives were added.

	Now for the dumb questions:

	Our chain of trust goes through Educause so I must get a
signature from them and somehow, I send them a key, probably a
ZSK that we then send them on a periodic basis as we also
download their new key on a periodic basis.

	That part, I am still as confused as ever. The
documentation I have found so far which one would hope would be
almost a cook book set of instructions has been more like asking
a passer-by on the street for the time and 18 hours later, he is
still describing how he made watches before electronic ones came
along. The theory is necessary, but this is a high priority
project and folks all up and down the chain of command really
wanted this done a long time ago but we first had to upgrade
bind and the OS on our platforms so things got a bit behind.

	I think that where we are now is that we have taken care
of the lookups for our zones and what is left is to secure the
recursive lookups. On our site, recursive lookups are not
allowed from outside our networks.

	Can we start signing our zones with the keys from
dnssec-keygen without any fear of broken lookups for those who
are not yet aware of dnssec?

	Is there, somewhere, a linear description of this
process that starts out like:

1.  Do this.

and leading up to 

x. Congratulations! you have dnssec working.

None of these steps in the puzzle have been hard, so far, but
for a totally externally-driven task, I just want to get it

	As a reminder, none of this is on our master DNS yet so
we are still doing the normal activities. Our firewalls are
supposed to be adjusted to allow the 4096-byte DNS packets in
the next day or so so all the testing is being done on another
box for now.

Thanks for all the help from this list. I think we are more
there than not, but we aren't home yet.

More information about the bind-users mailing list