On Thu, 21 Feb 2013 18:02:02 +0000, Rick van Rein <[email protected]> wrote: > Hi Casper, > > Cool :) > >> I've written a little script that checks if a DS is available from DNS >> and, if so, automatically issues the ds-seen command. It's a replacement >> for manually checking the DS and calling "ods-ksmutil key ds-seen ....". > > We're rolling out a similar thing at SURFnet, which could be an alternative > to this script, at least for some users. Our thing automates all stages > from > DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up). > > I'll write a posting about that on our blog https://dnssec.surfnet.nl/ > in a while. After my head stops spinning from flue :-S
Sounds good. I've to some more scripts to automate other parts of the procedure, but I'm not entirely happy with them and they are somewhat specific to our environment, so I'm interested in what you have cooked up. >> Warning 1: This may be a stupid idea. It could be argued that human >> validation of this step is a good thing. Do not use this script if you do >> not completely understand what it does. > > The real harm would have been done then I think? If you want to check > manually, it ought to be done when rolling your DNSKEY and/or DS uphill > (to the parent). When it starts rolling down on the other side of the > hilltop it's probably too late to stop? > Yes, uploading the new key is the most important step, and I'm convinced there is no harm in automating this step (otherwise I wouldn't have done it). >From a security perspective there is no problem at all. However if mistakes are made things can get messy and there is only a very basic validation in the script. However, the immediate reason for writing this script is that the humans were also making mistakes. >> Warning 2: This script has not been properly tested. Do not use it in a >> production environment. > > Ah, you're looking for $\alpha$ testers ;-) > >> I'm looking for opinions on if this is a useful solution or accident >> waiting to happen. I do use it in my production environment and I think we are better off with it than without, but I don't want to create to much of an expectation. The validation done by this script is rather simple and there are a few cases were it will fail (for example, it only checks one DNS-server, secondly, it only looks at the keytag, which is not guaranteed to be unique). > Did you like the interface of OpenDNSSEC? I didn't like that it refused > to silently ignore repeated ds-seen due to a script that somehow missed > a previous ds-seen. It is indeed a bit verbose at times. The warnings about duplicate ds-seens have been a cause of concern at one time. My personal pet annoyance is that every call to ods-keytool starts with output from MySQL. However filtering it out is easy. Slightly more annoying is that many operations, like exporting a key are rather slow, often taking up to a second. When running a script like this over hundreds of zones it becomes a bit painful. -- Casper Gielen _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
