I've added some automation around signing zones. For the KSK - it has a
default life of 12 month. I'm looking at having two valid KSK's running
with an overlap of 6 month. This means updating dlv.isc.org every 6
months, adding a new key, removing the old key and leaving the key thats
6 months old. My system should remind me when to do this. Of course -
I'm still in the first 6 month cycle - so there is only one KSK for now
- so I'll only be adding a KSK next maintenance cycle.
This is fine for a few domains but I agree it would be painful for many
domains.
I'd like to see a system that I can tickle - so that it fetches the new
KSK from me (all automated).
Now that my zone is 'secure' - I could use it to distribute a public key
(PGP - whatever). I still have the TXT DLV record in my zone. Just
thinking out-loud - as I'm interested too.
One day - I'd expect this to be built into Registry/Registrar EPP type
interfaces - fine except I like to host my own DNS.
On Sat, 2009-07-04 at 22:36 -0700, Shane W wrote:
> Hello all,
>
> So I just did a KSK rollover, just to get a feel for how
> it's done, updating dlv.isc.org in the process. My question
> though is one of administration. When a domain rolls its
> ksk, will it be necessary to manually login to a website
> and paste the new keys, login again a month later and
> delete the old ksk? How will this work for sites hosting
> many domains? Is there some sort of standardized way as yet
> to communicate key changes to an upstream zone or in this
> case a lookaside provider?
>
> Shane
--
. . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
