On Sun, 2014-08-31 at 17:54 +0000, Abdalmonem Tharwat Galila wrote: > Hi , > I have many questions in my mind about DNSSEC , could you help me to > find an answer ?
I'm sure the list can answer a few questions but I'd strongly suggest going on a formal DNS/DNSSEC course. The OpenDNSSEC folk have a two (?) day course in Stockholm. I've attended this and its a good practical course on OpenDNSSEC. Its free as well - as I remember?? I've also mentioned what you could get in South Africa on the Advanced DSN course. (http://dnstraining.coza.net.za) There are other courses run in Europe and the US. DNSSEC can bite you - even if you are a rocket scientist. From the questions you are asking - please consider training. I can see that you have a 2048 bit type-8 KSK - Thats good (and the default). The ZSK is a 1024 bit type-8 key. Some may argue it should be longer... but its the default and not bad. Are you running NSEC or NSEC3? Are you using Opt-Out if you are running NSEC3? > 1) Which details required to be sent to parent ? The DS records - which are hashes of the KSK record. > 1-1) How can i get this data from OpenDNSSEC ? ods-ksmutil key export --zone xn--wgbh1c --ds to make a key "ds-seen"... (ONLY once propagated) ods-ksmutil key ds-seen --zone xn--wgbh1c --keytag 60047 > 1-2) every time opendnssec resigns the zone , this data should > be sent to parent !!! No, only on a KSK rollover. > 2) How can i manage rollover process ? Its parameters you should have set in /etc/opendnssec/kasp.xml <KSK> <Algorithm length="2048">8</Algorithm> <Lifetime>P365D</Lifetime> <Repository>SoftHSM</Repository> </KSK> ...is a KSK key rollover once a year. There is so much more to it than that though. Essentially, when you get a new key, send its DS records to your parent (IANA), wait for propagation - perhaps a week or two, then remove the old DS records from the Parent. > 3) How can i backup keys and slots ? > 4) How to backup DB ? > 5) How to upgrade OpenDNSSEC ? are there any notes about that ? > 6) How can i clone the current system to another one without any > failure ? are there any notes about that ? > 7) are there any yum repo to install opendnssec ? > > > If there any tutorials that has my questions answer , i appreciate > that. > > > Thnx > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
