DNSSEC Signing & Key Questions
mje at posix.co.za
Tue Oct 4 19:53:33 UTC 2011
Played with OpenDNSSEC - and was a bit disappointed. Actually flew to
Sweden and attended the course. It works - but acts like a black box -
you don't have any finger-poking ability when things go wrong (for fun -
we deleted a key out of the HSM - bad idea!)
I don't like having to run everything Dynamic - which seems to be how
ISC and Bind is currently heading.
I eventually sat down and wrote a Bash Script. Its periodically called
from Cron. It understands Static zones with None (no DNSSEC), NSEC and
NSEC3 forms of DNNSEC. It kinda knows what a dynamic zone is - and does
mainly hands off. It manages Serial Number detection and Updating via
keeping a CheckSum of the zone and comparing/detecting changes - so you
can use the script on non-signed zones - just change the Data - it'll
update the SOA Serial and do an RNDC RELOAD for you.
You can look at it on "www.posixafrica.com" - there is a presentation
there as well that I did at an AfriNIC conference.
I personally use the script for my primary domain (posix.co.za) and
several others. No problems so far....
ZSK's are totally automated, KSK's which generate the DS records are
automated if you run Children of parents under your control (Reverse IP
addresses!). There is a method of running a command for Parent zones -
which could be for example to run an EPP client to update the DS records
at the Registry. OpenDNNSEC comes with such a client.
You asked about ZSK's - I run a cron driven rollover so no ZSK is more
than 34 days old (age of the file holding the key - could be modified to
read Meta-Data?). New ZSK's are created every 17 days (old one's
deleted). KSK's are never older than about a year - with a new KSK
generated every 6 months. I guess this could be modified/customised per
zone - but these are very close to the default values. This means you
end up with two ZSK's and two KSK's per zone. This could be further
modified to remove older Keys after appropriate time delays - but...
You should use the Directory structure I suggest - rather - this keeps
files more manageable (Directory per zone). I don't put keys into any
HSM - kinda waiting on Bind to include a patch to work with Rickard
Bellgrim's SoftHSM (now that would be something!) That should one day be
On Tue, 2011-10-04 at 19:09 +0000, McConville, Kevin wrote:
> I’m new to this list, so please bear with me if these are/seem like
> “newbie” questions.
> We are currently evaluating a DNSSEC implementation. We have several
> static zones that we would like to implement first. We are currently
> using ISC Bind 9.7.4 – In the test environment (1) Authoritative dns
> server and (1) Resolver dns server, both running RHEL 5.7. We do have
> an on-hold Opendnssec server w/softhsm (we are trying to look at the
> built-in utilities of isc bind first).
> We are trying to make the DNSSEC piece as automatic as possible, so
> here are where we are having issues.
> 1) Is there any way to have the zsk be auto-generated based upon
> the inactive date listed in the zsk meta-data? I know we can
> pre-publish and then use dnssec-settime to change the meta-data, but
> still very hands-on.
> 2) With a static zone, are the update-policy local and auto-dnssec
> maintain options invalid/don’t work? From the docs, they look like
> they are only for automation of dynamic zones?
> 3) Are there any ways to automate zone signing and zsk
> generation/roll-over with a totally static zone environment?
> 4) What key-management, zone-signing management utilities or
> programs have you found useful/helpful?
> Any suggestions, comments, or questions are greatly appreciated. Thank
> you in advance.
> Kevin McConville
> University at Albany
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark Elkins <mje at posix.co.za>
More information about the bind-users