Automatic Key Management

Mark Elkins mje at
Sat Sep 16 19:02:42 UTC 2017

On 14/09/2017 16:55, Tony Finch wrote:

> Mark Elkins <mje at> wrote:
>> With BIND version 9.12  coming out - I'm wondering if I've missed any
>> announcements on some form of Automatic (DNS)Key Management?
>> Something that will create and retire keys according to some sort of policy.
> See dnssec-keymgr (new in 9.11) which will automate ZSK management.
> KSKs are still difficult. I don't know of any nice software for pushing
> delegation updates through registrars. It's a fairly tedious business
> because in many cases you'll need to talk to several different parents so
> you have to write the same code in several different ways. Even the good
> APIs (Gandi, RIPE) have murky corners (EPP itself is a movable feast), and
> sometimes you may be stuck without an API and reduced to scripting
> PhantomJS or something similarly horrible.
> Tony.

Thanks Tony.

I've been experimenting. I'm also a Registrar for South African domains,
running EPP including DNSSEC extensions.

Couldn't find a full example /etc/dnssec-policy.conf
so came up with:-

policy default-dnssec {
    algorithm ECDSAP256SHA256;
    pre-publist zsk 1w;
    pre-publist ksk 1w;
    post-publish zsk 1w;
    post-publish ksk 1w;
    roll-period zsk 4w;
    roll-period ksk 52w;
    coverage 190d;

zone {
    policy default-dnssec;
    directory "/etc/bind/";

Not completely sure if what is above is completely sane. :-)
I'm playing with a zone called "". This is on a stand-alone
test machine. The test entry in my named.conf looks like...

zone "" {
        type master;
        file "";
        key-directory "";
        inline-signing yes;
        auto-dnssec maintain;
        update-policy { grant ddns-key zonesub ANY; };

When run, dnssec-keymgr completely ignores ECDSAP256SHA256 and uses RSASHA256 (the default if no algorithm specified).
I created ECDSAP256SHA256 signatures by hand and reran dnssec-keymgr. It simply creates two more RSASHA256 as if there were no Keys.

I'm not a python programmer and was somewhat lost when looking inside dnssec-keymgr. Stumbled into /usr/lib/python3.4/site-packages/isc/, found mention of ECDSAP256SHA256 in and stopped looking.

I also like to organise my "zones" as one per directory - so all the cruft for one zone is stored together in one place. Looks like I'll need a "zone" entry per zone in dnssec-policy.conf to manage this. Pity it doesn't simply look inside named.conf for that information (for where the keys live).
Maybe someone else on this list has looked further?

On my side, I can 'import' the KSK from the properly signed zone, Generate the DS record and EPP it up to the Registry. That all works fine, currently with the push of one (web) button. Will change/add this to something RESTful. Then, for full automation (KSK Rollover's) - I'd need dnssec-keymgr to call an external script when its time to trigger some sort of "Sync" action.

Didn't spot anything to auto-generate CDS records although BIND 9.11 is apparently capable. 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA:

More information about the bind-users mailing list