[bind10-dev] DNS key management

Scott Mann smann at isc.org
Sun Mar 4 18:55:41 UTC 2012 

Hi Everyone,

The BIND9 team is beginning to work on a set of key management tools 
which will handle a variety of tasks related to the management of all 
manner of dns-related keys. This work is largely driven by a contract 
with PayPal, but we do have flexibility with respect to some (perhaps 
even much) of what we do as the PayPal requirements are fairly high level.

When we first discussed the opportunity with PayPal (last August), we 
put together user stories associated with their wish list. You can read 
through them here: https://kb.isc.org/article/AA-00486. This document 
reflects everything that PayPal asked for as well as some things we 
thought of ourselves (fancy that).

PayPal cannot fund the project in one contract, so they are breaking 
things up into smaller pieces (I believe the driving factor is that each 
contract must be less than $30K or thereabouts). Our first contract 
contains  the following requirements from PayPal:

"ISC will provide DNSSEC Key Management Tools, which include:

"Zone verification tool.

"Zone is correctly and validly signed

"NSEC chains complete

"No gaps in key coverage

"Check parent for proper KSK"



Our current effort, therefore includes three tools, initially defined as 
follows:


I) A zone verification tool:
   This will likely be written in C because there is already a big
   chunk of this done in C (and we have a deadline
   1. verifies that the zone is internally consistent and complete
   2. ensures that the NSEC/NSEC3 chains are complete
     - make sure to cross ref with NSEC3PARAM record
     - check DS vs NSEC/NSEC3 record to make sure delegations consistent


II) A key coverage tool (to be written in python):
   1. ensures that there are no gaps in key coverage
     - make sure that keys are published in your zone at least
       1 ttl before that key is to be published
       - use refresh rate from SOA - e.g., ttl+refresh  to insure
         that key is published soon enough


III) A dnssec-check tool (to be written in python):
   1. Check  the parent for the proper KSK
     - DNS lookup for zones parent and get DS, then confirm that it is 
correct.
     - Verify that key is published.
     - Pay attention to future use during development.
       - future use: upward check from child - make sure design
         includes this thinking



I'm sending this to you with the hopes that we can collaborate and 
provide some (or all) of these tools for future BIND 10 use. I'm hoping 
that we can include the BIND10 team in reviews of our design documents 
and, if time permits, our code. Please understand that we do have 
deadlines associated with these tasks and that we may not be able to 
incorporate more general capabilities initially, but my hope is that 
with addition eyes, we will arrive at solutions that are useful to both 
BIND 9 and BIND 10.

If you have any comments, questions, or suggestions, please let me know. 
Look for our review requests coming soon!

Thanks,
-Scott

-- 
/***************************************
  * ISC offers support on many          *
  * of its products, including BIND 9.  *
  * If you depend on it, depend on us!  *
  ***************************************/

Scott Mann<smann at isc.org>
Interim Manager and Scrum Master, BIND 9 Development Team
Internet Systems Consortium

More information about the bind10-dev mailing list