DNSSEC Signing & Key Questions

Marc Lampo marc.lampo at eurid.eu
Wed Oct 5 06:17:31 UTC 2011


For 3) automate zone signing and zsk roll-over

I know of no tools that are readily available

- there are appliances (look in the IPAM world of products), that handle
DNSSEC for you.

However, I have in our “DNSSEC workshop” course environment a setup that
looks at time stamps of Linux files :

- zone data is stored in files

- when the (unsigned) data has newer time stamp then signed data, script
regenerates RRSIG’s

   à to resign a zone, simply “touch” the file with unsigned data (eg once
a week)

- the script that generates RRSIG’s does so with “all available” keys

   à to perform ZSK rollover, simply add new ZSK/delete old ZSK (at
appropriate time)
        and “touch” the file with unsigned data

            (!!! Do respect key timing for deleting the old ZSK !!!)

- same principle works for KSK rollover as well,
   but the challenge there is to inform the parent of new KSK 

           (!!! + key timing matters !!!)

Using time stamps of files kind of uses the Linux file system as

Should work if the number of files is not too big – one would have to
consider using a real DB for larger number of zones.

Success with your move towards DNSSEC.

Kind regards,

Marc Lampo

Security Officer


From: McConville, Kevin [mailto:kmcconville at albany.edu]
Sent: 04 October 2011 09:10 PM
To: bind-users at lists.isc.org
Subject: DNSSEC Signing & Key Questions

I’m new to this list, so please bear with me if these are/seem like
“newbie” questions.

We are currently evaluating a DNSSEC implementation. We have several
static zones that we would like to implement first.   We are currently
using ISC Bind 9.7.4 – In the test environment (1) Authoritative dns
server and (1) Resolver dns server, both running RHEL 5.7.  We do have an
on-hold Opendnssec server w/softhsm (we are trying to look at the built-in
utilities of isc bind first).

We are trying to make the DNSSEC piece as automatic as possible, so here
are where we are having issues.

1)      Is there any way to have the zsk be auto-generated based upon the
inactive date listed in the zsk meta-data? I know we can pre-publish and
then use dnssec-settime to change the meta-data, but still very hands-on.

2)      With a static zone, are the update-policy local and auto-dnssec
maintain options invalid/don’t work? From the docs, they look like they
are only for automation of dynamic zones?

3)      Are there any ways to automate zone signing and zsk
generation/roll-over with a totally static zone environment?

4)      What key-management, zone-signing management utilities or programs
have you found useful/helpful?

Any suggestions, comments, or questions are greatly appreciated. Thank you
in advance.



Kevin McConville

University at Albany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111005/86dc0708/attachment.html>

More information about the bind-users mailing list