Re: dns-sec and Maintaining Human Sanity

Fri, 06 Aug 2010 06:30:32 -0700 

On 06/08/10 12:24, Martin McCormick wrote:


        The one thing that impresses me about dns-sec is that it
appears to be one of those things that will probably work fine
after installation but getting there may be an adventure to put
it mildly.



My advice is to investigate upgrading to Bind 9.7 and using the 
"auto-dnssec maintain" option on your zones.


We do something similar to this:

zone "example.com" {
  type master;

  # file in a per-zone directory
  file "data/zones/example.com/zone";

  # keys in the same direction
  key-directory "data/zones/example.com";

  # tell bind to do DNSSEC maintenance
  auto-dnssec maintain;

  # must allow updates for online (re)signing
  allow-update { key ...; };
};

...at this point, signing a zone is very simple:

NAME="example.com"
ZDIR="/var/named/data/zones/$NAME"

# make key-signing key
dnssec-keygen -K $ZDIR -a RSASHA1 -b 2048 -n ZONE -f KSK $NAME
# make zone-signing key
dnssec-keygen -K $ZDIR -s RSASHA1 -b 1024 -n ZONE $NAME

# fixup perms
chgrp named $ZDIR/K*
chmod 640   $ZDIR/K*

# sign it
rndc sign $NAME


Bind will automatically maintain the signatures and re-sign every $SOME 
days. When you want to do a key rollover, you can use the timestamp 
options to generate a new key which is valid but not used:


# make new zone-signing key
dnssec-keygen -K $ZDIR -P now -A none -s RSASHA1 -b 1024 -n ZONE $NAME
# insert key
rndc sign $NAME
# wait for cache expiry times - see RFCs for details

# roll over keys & fixup perms
dnssec-settime -K $ZDIR -A now K<theNEWkeyid> && chmod 640   $ZDIR/K*
dnssec-settime -K $ZDIR -I now K<theOLDkeyid> && chmod 640   $ZDIR/K*

# wait $SOME time for the zone to be incrementally
# resigned using the new key, and the old key is redundant,
# and any old RRs have expires from caches

# remove the old key
dnssec-settime -K $ZDIR -D now K<theOLDkeyid>
rndc sign $NAME



Obviously there is some care and attention needed, but the above 
procedures are very quick to test. Play around with it a bit - I think 
you'll be pleasantly surprised how easy the stuff in bind 9.7 is.

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to