Re: Bind and ZSK-Rollovers: Changing salt automatically?
> "rndc signing -nsec3param" can change your salt. Specifying "auto" > as the salt causes named to generate a salt at random. I forgot to mention that the "auto" feature is new in 9.10, not in older versions. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.07.14 19:09 Evan Hunt wrote: > On Mon, Jul 28, 2014 at 06:16:13PM +0200, Johannes Kastl wrote: >> So basically BIND cannot do that for me, each time it does a key >> rollover. That's what I wanted to know. > > "rndc signing -nsec3param" can change your salt. Specifying "auto" > as the salt causes named to generate a salt at random. Good to know. > There's currently no way to schedule it the way you can schedule > key rollovers, but you can put it in a crontab. As I said, knowing that BIND does not do that automatically and I have to put it in a crontab is exactly what I wanted to know... Thanks for the answer. Regards, Johannes - -- Sex is like hacking. You get in, you get out, and you hope you didnt leave something behind that can be traced back to you. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPWqDkACgkQzi3gQ/xETbLIQACfUmKFDj49mPw9/WQacLDHjECR NjkAn0j++xb8pVQm/X/VeUOQ87RNQDOO =5Fk7 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
On Mon, Jul 28, 2014 at 06:16:13PM +0200, Johannes Kastl wrote: > > In the same cron job, it is then possible to create a new NSEC3 > > salt and inject that into the zone. > > So basically BIND cannot do that for me, each time it does a key > rollover. That's what I wanted to know. "rndc signing -nsec3param" can change your salt. Specifying "auto" as the salt causes named to generate a salt at random. There's currently no way to schedule it the way you can schedule key rollovers, but you can put it in a crontab. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ZSK-Rollovers: Changing salt automatically?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Carsten and all, sorry for the late reply. On 24.07.14 19:53 Carsten Strotmann wrote: > I'm not aware that BIND 9 can do a ZSK rollover all on its own, it > is however possible to set the timing values on the ZSK key files > in a away that BIND 9 will execute the rollover at the set times. > It is also possible to create a direct successor ZSK from an > existing ZSK. That is exactly what I meant. I prepare the keys and bind does the rollover automatically. > But the creation of the new ZSK, as well as setting the timing > values, need to be done outside BIND 9. It is relaive > strightforward to script this in a cron job, and there are > ready-made tools that can help. I'll dig into scripting that. But I found Michael W Lucas' DNSSEC Mastery pretty good read on the process.. > In the same cron job, it is then possible to create a new NSEC3 > salt and inject that into the zone. So basically BIND cannot do that for me, each time it does a key rollover. That's what I wanted to know. > Doing so at the exact moment of the ZSK key rollover (to prevent > unecessary re-generation of all RRSIGs) is tricky. > > If the zone is no too big (e.g. re-generating all RRSIGs is not a > problem), I would recommend to roll the salt in the same intervals, > but independent from the ZSK rollover. I'll stick with this, then. Regards, Johannes - -- Debian est omnis divisa in partes tres, quarum unam nominari Stable, aliam Testing, tertiam qui ipsorum lingua Sid, nostra Unstable appellantur. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPWd00ACgkQzi3gQ/xETbJYRwCaAp4UiwsIlIp2zjq/w0ImOJjC YoUAnjTMjMJ/wbkhKR1oj7iJS1p1H6G7 =qHrR -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users