feature survey -- bind9 dnssec -- autogenerate missing signatures

[Francis Dupont]

 In your previous mail you wrote:
   
   Francis, this is all very well. People with DNSSEC clue will use these  
   sorts of beasts because they understand why keys need to be properly  
   protected.

=> I only wanted to prove the feature we are talking about can be
provided with a reasonnable level of security (of course, if the
needed resources are assigned to).

   I'm far from convinced the typical DNS admin (no DNSSEC  
   clue) will understand this or deploy these sorts of measures if they  
   sign their zones.

=> with SSL/TLS and HTTPS the typical admin should be more aware
than you expect.

   They'll inevitably take the path of least  
   resistance. Which would most probably mean on-the-fly background  
   signing if that was available and the actual signing key on-line and  
   in cleartext on the master server.
   
=> if the master server is properly managed (dedicated box, good
physical and logical access control, etc) this should not be such
a security disaster. And BTW the best HSM plugged to a box fulled
of garbage and loosely managed would never provide a decent level
of security...
 The key point here is that DNSSEC is a hierarchical trust system
so it is only critical the higher levels (root, TLDs, ...) have
the proper security.

   True. but if people are using dynamic DNS, there is already an  
   expectation that the SOA serial number changes "at random". This is  
   unlikely to be the case for the on-the-fly background signing that  
   Paul proposed.

=> can they learn? (or even read the documentation? :-)

Regards

Francis.Dupont at fdupont.fr