dnssec config sanity check
Paul B. Henson
henson at acm.org
Tue Oct 4 22:49:25 UTC 2011
On 10/3/2011 11:45 PM, Stephane Bortzmeyer wrote:
> Experience of DNSSEC deployment (see my paper at SATIN
> shows that custom programs have many timing bugs. Many things can go
> wrong Why not using an existing program such as OpenDNSSEC ?
From a quick read of your paper, I see you discovered many rollover
timing issues in the wild, but it doesn't look like those are correlated
with any particular tool. Other than knowing a given domain had an
issue, you have no idea what caused it, or what tool they may have been
using, and it is only an assumption that the issue arose from a custom
program... They could well have been using some existing programs such
as OpenDNSsec which presumably aren't guaranteed bug free :).
We initially implemented this over a year ago, but were delayed in
deployment when it turned out our ISP (who provides secondary services)
was running an ancient version of bind that didn't do dnssec 8-/. I
didn't find any good solutions available at the time.
Taking a look at OpenDNSsec, I don't think I'd use it even if we were
starting today; it is way over engineered for our requirements. I'm not
a big fan of XML configuration files, and I don't particularly want a
signing daemon running 24x7. The current capability of bind to
automatically select which keys to use based on their timing data, with
a minimal wrapper around it, provides more than enough functionality to
manage our relatively simple zones.
dnssec is fairly complicated, and the issue of timing can be complex,
but once the variables are determined than the actual procedures of
implementation are pretty simple. Generate keys with appropriate
publication, activation, inactivation, and deletion timings, and then
use them ;). My hope from my initial posting was to get a little peer
review of the appropriateness of the timings I've selected...
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the bind-users