DNSSEC made simple, is this possible?
Mark Elkins
mje at posix.co.za
Wed Jan 11 17:24:17 UTC 2012
On Wed, 2012-01-11 at 11:50 -0500, Howard Leadmon wrote:
> Thanks, I will head on over and take a look, sounds like something I should
> be interested in. Now if FreeBSD would just add 9.9 to the ports
> collection, it would save me from having to build it by hand..
I think BIND 9.9 is definitely part of the solution.
I - like others - have a few scripts to try and do the right thing.
I've created "How to set up a Recursive Server" at http://dnssec.co.za/
I've written a script that manages Flat files (ie - how you want to edit
your zones) and generates signed zones as needed. You can see a
presentation and the script at http://posixafrica.com/
(Both those zones are DNSSEC signed)
The big error in my Script is I continuously re-sign the zone from
scratch rather than properly maintain the signed zone... but it works
(because I generate a new DNSSEC key before the zone becomes stale).
Anyway, that is why I'm so interested in BIND 9.9 myself. My script also
does Key Generation, checks for the source zone changing (by
check-sums), updates the SOA Serial No - etc. Once I've deployed BIND
9.9 - I'll re-work the script to run properly signed and managed zones.
Next great thing would be for ISC to support the Soft-HSM that
OpenDNSSEC uses. I believe that this would make the step of moving to a
real hardware HSM a lot easier (if necessary).
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/5abb6de7/attachment.bin>
More information about the bind-users
mailing list