Re: Automated DNSSEC (command line)
On 05/28/10 14:18, Michelle Konzack wrote: Hello DNSSEC Experts, I am ongoing to install 4 new Name Servers and increse my registrar and hosting service... OK, I have tried to make my own 4 domains with 16 zones signed and it took me one hour of my life! Since I have to re-sign the zones if something change it will give me headaches up to the end of my life, so my queston is: Is there a command line tool (or a daemon) which check for changes and re-sign the zone automated? Check out zkt (http://www.hznet.de/dns/zkt/). There are a few more involved tools out there, but zkt sounds like what you want. I can not believe, that you are signing each zone by hand! :-D *I'm* not. :) (I use a combination of zkt and the BIND tools in an automated script.) Can an expert please check 'dig ANY tamay-dogan.net' whether this is right? Looks good to me. The sigs seem to be within their validity interval, but there doesn't appear a DLV record in dlv.isc.org, so I can't validate. (Actually, I *could* snarf the ksk from the ANY query and manually configure it as a trust anchor, but I am lazy. Moreover, that won't tell us if something goes wrong if/when you publish a trust-anchor DLV record or DS record, when NET becomes signed.) Also I am not realy sure whether I need dnssec-validation yes in my options. For authoritative service, you don't need it. Only if you're running a validating nameserver do you need it, and it's 'yes' by default in recent versions of BIND. You still need to configure a trust anchor (or anchors) if you want to do validation. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello DNSSEC Experts, I am ongoing to install 4 new Name Servers and increse my registrar and hosting service... OK, I have tried to make my own 4 domains with 16 zones signed and it took me one hour of my life! Since I have to re-sign the zones if something change it will give me headaches up to the end of my life, so my queston is: Is there a command line tool (or a daemon) which check for changes and re-sign the zone automated? Yes, and you really should use one. The two most important things with signed zones are that your signatures don't expire, and that the right DNSSEC RRs are included in the zone. So not only does it need to be resigned after changes (to include the proper DNSSEC RRs), but also periodically make sure signatures don't expire. Here are a few of the tools written for that purpose: http://dnssec-tools.org/ http://www.opendnssec.org/ http://www.hznet.de/dns/zkt/ http://zonetool.sourceforge.net/ I can not believe, that you are signing each zone by hand! :-D Can an expert please check 'dig ANY tamay-dogan.net' whether this is right? Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. Also I am not realy sure whether I need dnssec-validation yes in my options. No, this is only for resolvers that are validating answers, not authoritative servers that are serving signed zones. Of course, if you're using the server for both and you would like to enable validation (i.e., of other signed zones), then you'll need to enable validation and establish some trusted keys as anchors. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello Michael, Am 2010-05-28 14:40:30, hacktest Du folgendes herunter: Check out zkt (http://www.hznet.de/dns/zkt/). There are a few more involved tools out there, but zkt sounds like what you want. OK... Can an expert please check 'dig ANY tamay-dogan.net' whether this is right? Looks good to me. The sigs seem to be within their validity interval, but there doesn't appear a DLV record in dlv.isc.org, so I Right, it was setup for some hours in a experimet and is currently not setup with DLV. can't validate. (Actually, I *could* snarf the ksk from the ANY query and manually configure it as a trust anchor, but I am lazy. Moreover, that won't tell us if something goes wrong if/when you publish a trust-anchor DLV record or DS record, when NET becomes signed.) I have some problems with understanding DNSSEC in 6 Minutes from ISC. default in recent versions of BIND. You still need to configure a trust anchor (or anchors) if you want to do validation. This is what i have not understand currently... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello Casey, Am 2010-05-28 14:43:54, hacktest Du folgendes herunter: Yes, and you really should use one. The two most important things with signed zones are that your signatures don't expire, and that the right DNSSEC RRs are included in the zone. So not only does it need to be resigned after changes (to include the proper DNSSEC RRs), but also periodically make sure signatures don't expire. Here are a few of the tools written for that purpose: http://dnssec-tools.org/ http://www.opendnssec.org/ http://www.hznet.de/dns/zkt/ http://zonetool.sourceforge.net/ Wow, I have to check the most suitabble for me Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Cool tool... Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. Now I have a problem with it because HOW can I increase the serialnumber in this big file. In the old unsigned file I was working with a script, but now I know nothing anymore. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello again, Am 2010-05-28 14:43:54, hacktest Du folgendes herunter: Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. I have updated the serialnumber manualy and it just updated dns2... OK, now I have tried the second Zone http://dnsviz.net/d/itsystems.tamay-dogan.net/dnssec/ but it tell me: RRSIG itsystems.tamay-dogan.net/SOA by 005+19470: Signature is bogus realy weird, because the Zone is like others. How can I check this? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello Mark, Am 2010-05-29 09:06:40, hacktest Du folgendes herunter: You can just let named re-sign the zone for you. Treat the zones as dynamic and named from BIND 9.6 onwards will maintain the signatures for you. What do you mean with Treat the zones as dynamic? Is there a special option? Use nsupdate to change the contents of the zone. OK. I have to change my scripts to use nsupdate, but as I have understand it right, you can not add NEW hosts to a zone through nsupdate (has never worked) or has it changed now? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
In message 20100529001832.gb4...@tamay-dogan.net, Michelle Konzack writes: Hello Mark, Am 2010-05-29 09:06:40, hacktest Du folgendes herunter: You can just let named re-sign the zone for you. Treat the zones as dynamic and named from BIND 9.6 onwards will maintain the signatures for you. What do you mean with Treat the zones as dynamic? Is there a special option? Add allow-update or update-policy clause. BIND 9.7.0 supports update-policy local; and nsupdate -l talks via it. Use nsupdate to change the contents of the zone. OK. I have to change my scripts to use nsupdate, but as I have understand it right, you can not add NEW hosts to a zone through nsupdate (has never worked) or has it changed now? You make any change you want to a zone via nsupdate and this has always been the case. You just can't create or destroy the zone. DHCP servers have been adding and deleting hosts for years using UPDATE. Thanks, Greetings and nice Day/Evening Michelle Konzack -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users