On 12.1.2016 22:32, Jakob Schlyter wrote: > On 12 jan. 2016, at 22:09, Jake Zack <[email protected]> wrote: > >> Is there an official (or an unofficial, I guess) adapter available that’d >> handle incoming dynamic DNS updates and have OpenDNSSEC sign them? > > Not that I'm aware of. We did discuss something like that a couple of years > ago, but ended up thinking it was too complex given different AuthN/AuthZ > methods et al. > >> Or must I go dynamic to an intermediary box and do IXFR’s and thus a >> re-signing (with some signatures re-used)? > > Yes, you need a primary master to handle the updates. The signer will only > resign what's needed of course.
An alternative is to use OpenDNSSEC for key maintenance use BIND 9.10 with in-line signing as master which accepts the updates. We did this in FreeIPA project and it works, but you need quite a lot of 'glue logic' to create and update BIND key files (these are just references to keys inside PKCS#11) modules. The trick is generally in replacing ods-signerd with a custom implementation which takes list of keys for particular zone and generates BIND key files (using dnssec-keyfromlabel utility) instead of signing the zone. If you are interested in this you can have a look at: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm (Do not be scared, FreeIPA does some additional magic for key distributions because FreeIPA DNS is multi-master :-) OpenDNSSEC key exporter is available from: https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/dnssec/ipa-ods-exporter?id=58c42ddac0964a8cce7c1e1faa7516da53f028ad Please note that this exports key metadata and wrapped key material into LDAP. For single-master you do not need that at all, so you can rip of big chunks of code: Generally you could ignore calls to > ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) > master2ldap_master_keys_sync(log, ldapkeydb, localhsm) completely and just rewrite > master2ldap_zone_keys_sync(log, ldapkeydb, localhsm) to run dnssec-keyfromlabel. I hope this helps to understand the possibilities. -- Petr Spacek @ Red Hat _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
