private trust anchor

Mark Andrews marka at isc.org
Sun Feb 10 23:40:06 UTC 2013


In message <20130210225742.GA9786 at bewilderbeast.blackhelicopters.org>, "Michael
 W. Lucas" writes:
> Hi,
> 
> Is there a way to set up a private trust anchor for internal-only
> zones with BIND 9.9?
> 
> I have some local and RFC1918 zones that I'd like to secure. It seems
> I should be able to configure a private trust anchor and use that key
> to sign these zones.
> 
> I've found, related docs, like draft-jabley-dnssec-trust-anchor-06,
> which has great gobs of theory, but nothing on how to actually do this
> with BIND.
> 
> Has anyone done this? Or is this just daft?
> 
> Thanks,
> ==ml

This is no different than creating any other island of trust.

You generate the keys for the zone.  For IN-ADDR.ARPA zones there
is no point in using NSEC3.

	dnssec-keygen -K /var/named/keys 10.in-addr.arpa
	dnssec-keygen -K /var/named/keys -f KSK 10.in-addr.arpa

You add the keys to the zone.

You sign the zone and arrange for named to re-sign the zone
automatically for you.  You can use "inline-signing yes;" or configure
the zone to accept dynamic updates.

	options {
		key-directory "/var/named/keys";
	};

	zone 10.in-addr.arpa {
		type master;
		file "master/10.in-addr.arpa";
		auto-dnssec maintain;
		update-policy local;
	};

	rndc signzone 10.in-addr.arpa

You add trusted keys clauses to your recursive servers.

	trusted-keys {
		10.in-addr.arpa <KSK info>;
	};

> -- 
> Michael W. Lucas 	
> http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
> Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
> mwlucas at michaelwlucas.com, Twitter @mwlauthor
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list