DNSSEC: Configuring auto-signed dynamic zone

Mark Andrews marka at isc.org
Mon Feb 15 23:54:31 UTC 2010


In message <4B798DB8.2050604 at average.org>, Eugene Crosser writes:
> 
> Hello everyone, I am new here.
> 
> I am running a manually signed zone (average.org) for my domain for some
> time now. I also have a separate subdomain zone (dyn.average.org) that
> allows dynamic updates, and that is currently not signed. Bind version
> is 9.5.1. (debian stable).
>
> I would like to make dynamic zone automatically signed.
> I did not find any documentation about how to do that, but from reading
> the manuals and other people's notes in this maillist, I figured that I
> probably need to put both private and public keys for the zone in a
> directory configured as "key-directory" and make them readable to the
> bind's userid. But what else?
>  - do I need to sign the zone initially by hand?
>  - do I need to insert the DNSKEY public key record into the zone
>  - or should I include it into the "upper" zone?
> 
> I don't want to make private KSK readable by bind, only ZSK for this one
> zone. So, apparently I need to arrange things in such a way that DNSKEY
> for dyn.average.org is signed manually. Will it suffice to put it into
> average.org zone and re-sign it manually?
> 
> What else do I need to take care of?

Firstly upgrade to BIND 9.6.0 or later as it supports re-signing
of the zone as required.  BIND 9.5 and early requires that the zone
be frozen, signed, reloaded and thawed periodically to refresh the
signatures.

The simplest way to get started with BIND 9.6.x is sign the zone
initially with dnssec-signzone then let named take over.  You need
to add the DNSKEY records to the zone prior to signing.

BIND 9.7.0 has "rndc sign <zone>" which will boot strap the process
provided the keys are in place.

To provide DNSSEC linkages between zones the parent zone needs to
have DS records added at the delegation point which match self-
signed DNSKEY records in the child zone and the parent zone also
needs to be signed.  dnssec-signzone will generate a dsset file
or you can use dnssec-dsfromkey to generate the DS records from
the DNSKEY records.
 
Mark

> Thanks in advance!
> 
> Eugene
> 
> 
> --------------enigAE9D82E395AF617678D8B827
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkt5jbsACgkQfrw/cIw6UWnbYwCeKpPpwjUdeZvtFyVz1tMxNXwZ
> NDYAn1nDG0U7BdEGTZ/ZChgd6INES2X4
> =xT9m
> -----END PGP SIGNATURE-----
> 
> --------------enigAE9D82E395AF617678D8B827--
> 
> --===============7390924451700617885==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============7390924451700617885==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list