Hi, As any good netcitizen I've been working on implementing DNSSEC. ;-)
Recently I was flipping through some presentations on DNSSEC and I noticed something in this PDF: http://www.nanog.org/meetings/nanog54/presentations/Sunday/Larson.pdf Which belongs to this presentation: http://www.nanog.org/meetings/nanog54/abstracts.php?pt=MTg4OCZuYW5vZzU0&nm=nanog54 Page 22 "Signed Zone Example: example.com" beautifully illustrates what the KSK is used for. Probably it doesn't surprise you, but it is very little. In terms of records, it is just 2 records, the DNSKEY-record for the public key part of the KSK and the RRSIG over all the DNSKEY-records. The KSK is obviously also used to communicate the DS-record to the parent zone. It got me thinking, the current PowerDNS database with DNSSEC enabled for a zone has the KSK and ZSK keys in the cryptokeys table. How hard would it be to have a mode in PowerDNS where you add the RRSIG which is generated from the KSK to the database and move the private part of the KSK out of the database. This could help when you have a hidden master and database replication but would like to prevent the KSK getting compromised. If you have hundreds or thousands of singed zones you'll be happy you don't have to communicate all the new keys to the parent zones. Even if it is automated. It might not work with presigned, but with presigned you might as well not replicate the cryptokeys table. It should work in theory with something like NSEC3-narrow. Haven't looked at the other modes. It is just an idea, I would like to know what people think. Have a nice day, Leen. PS An other presentation that might be of interrest as it mentions the PowerDNS Recursor is this one: http://www.nanog.org/meetings/nanog54/abstracts.php?pt=MTkwOCZuYW5vZzU0&nm=nanog54 His paper his here: http://irl.cs.ucla.edu/~yingdi/publication.html _______________________________________________ Pdns-dev mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-dev
