Re: DNSSEC: give KSK from my domain to parent zones

2018-10-05 Thread G.W. Haywood via bind-users 

Hi there,

On Fri, 5 Oct 2018, Roberto Carna wrote:


... when I check for the DNSEC support with:

dig com.uk +dnssec +multi

I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at allhasn't it?


Do you mean "xxx.co.uk" and not "xxx.com.uk"?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-05 Thread Roberto Carna 
Thanks a lot to all of youNow I understand.

But when I check for the DNSEC support with:

dig com.uk +dnssec +multi

I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at allhasn't it?

; <<>> DiG 9.10.3-P4-Debian <<>> com.uk +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.uk.IN A

;; AUTHORITY SECTION:
uk. 1548 IN SOA dns1.nic.uk. hostmaster.nic.uk. (
1403852443 ; serial
7200   ; refresh (2 hours)
900; retry (15 minutes)
2419200; expire (4 weeks)
10800  ; minimum (3 hours)
)
uk. 1548 IN RRSIG SOA 8 1 172800 (
20181019160738 20181005150738 43056 uk.
obD8WjHpNUB/GeEdlp2SaJBsp9D0N03cLTCpEn+0UpQF
V75NiX509EzgTeT9Eh0du0kIptjMZKyDON/5ZN7p21BI
E3srTdrMVTNyNqAEa1SZWlTBWcs4FNzFoVkJVfJXwHpF
IDF2ZLlNxjlP9xgWr+YKcEtqUTYF4lfscx5tOF8= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181018194223 20181004184445 43056 uk.
RH6cfZjzah93ucxwynKropExMhvWznqV4ySiWAsWLw3T
3IaCQoF/rS5Np/PwcuIzZ5ZLR0dJ/56prKWSKA6l5LBz
4dQWvlceb8oY3o1WvBXn/+UjptIMP87LPtNLxU/JsrGJ
YpO6qsBZXTerhmEAAZi+9tLBCo5dW5CO8n5PlP0= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN NSEC3 1 1 0 - (
M4FDARQNDI0P0UGAD29OKGNPRJKAE5SP
NS DS RRSIG )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181019000937 20181004233936 43056 uk.
ca9n8B+3hjnDKh8KHsM5gDGYq9bJ4Rjh/EQ7fVSO4FK4
VDDFtzhDvQySLfudSq3P0pGdqye/BLjTgC6p4pNUeFhL
SPjJsjcA5SvSha7ZNGgAjjdC4t7Sg0yyGnLxfx129lX2
AbhbpJUjCQ5eX6U56t2IH5/8Dg8uAPOFUF6Ogmk= )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN NSEC3 1 1 0 - (
U1LG7J6JO1NFSU55LON2UMGEUJO912TU
NS SOA RRSIG DNSKEY NSEC3PARAM
TYPE65534 )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181018165433 20181004163523 43056 uk.
Tt5nrfM6nuJOgMPjULGi2WIN5RB3EZmv+nqODimBe5x8
9axQltyX7OR8iHNR6DzQl33aABgfvC/htUpKmtvOlQ6P
6V+2f/1I021Qcnuo7thu3V3a+ad1XFfHp6IqpEHi0Qxz
H4OsgvzFoycF+v0xpSr4ZSeuElJ0whKBlGWKAuM= )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN NSEC3 1 1 0 - (
UJSIFQNCG7CTSHF49P4L7HNBMPOSGRMB
NS DS RRSIG )

;; Query time: 0 msec
;; SERVER: 172.17.10.25#53(172.17.10.25)
;; WHEN: Fri Oct 05 13:12:28 -03 2018
;; MSG SIZE  rcvd: 1011


Regards!!!


El vie., 5 oct. 2018 a las 12:58, Chris Thompson ()
escribió:

> On Oct 4 2018, Mark Elkins wrote:
>
> >On 10/04/2018 05:03 PM, Roberto Carna wrote:
> [...]
> >> I have two DNS servers running BIND 9.10, they have delegated my own
> >> domain, let's say "robert.com.uk " and some
> >> other domains from our clients, let's say:
> >>
> >> client1.com.uk 
> >> client2.edu.uk 
> >> client3.info.uk 
> >>
> >> Can I sign theses client zones with my ZSK, or do I have to have a
> >> different key for each domain?
> >
> >I believe common practise is to create separate KSK and ZSK keys for
> >each domain - so each domain will have their own DS records in the
> >parent. This way, if one of the clients moves their domain to a new DNS
> >provider - there is no security conflict in the move from shared keys.
>
> Even if you make the (RDATA of) the KSKs identical for the different zones
> the DS records you will need to insert into the parent zones will be
> different, because the hashing algorithm includes the KSK owner name
> (i.e. the zone name) in its input. See RFC 4034 section 5.1.4.
>
> Similarly using ZSKs with identical RDATA in the different zones will
> not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
> in different zones), because the full owner name is included in the
> hashing input.
>
> >(Use a different Key)
>
> Yes. Because there are no advantages whatsoever in doing othe

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-05 Thread Chris Thompson 

On Oct 4 2018, Mark Elkins wrote:


On 10/04/2018 05:03 PM, Roberto Carna wrote:

[...]

I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk " and some
other domains from our clients, let's say:

client1.com.uk 
client2.edu.uk 
client3.info.uk 

Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?


I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.


Even if you make the (RDATA of) the KSKs identical for the different zones
the DS records you will need to insert into the parent zones will be
different, because the hashing algorithm includes the KSK owner name
(i.e. the zone name) in its input. See RFC 4034 section 5.1.4.

Similarly using ZSKs with identical RDATA in the different zones will
not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.


(Use a different Key)


Yes. Because there are no advantages whatsoever in doing otherwise!

--
Chris Thompson
Email: c...@cam.ac.uk



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-04 Thread Roberto Carna 
Thanks a lot Mark, regards !!!

El jue., 4 oct. 2018 a las 16:18, Mark Elkins () escribió:

>
>
> On 10/04/2018 05:03 PM, Roberto Carna wrote:
>
> Hello, thanks to both of you for your help. Now I understand I have to
> contact my registrar in order to give it the DS of the KSK.
>
> Please I have a last question:
>
> I have two DNS servers running BIND 9.10, they have delegated my own
> domain, let's say "robert.com.uk" and some other domains from our
> clients, let's say:
>
> client1.com.uk
> client2.edu.uk
> client3.info.uk
>
> Can I sign theses client zones with my ZSK, or do I have to have a
> different key for each domain?
>
>
> I believe common practise is to create separate KSK and ZSK keys for each
> domain - so each domain will have their own DS records in the parent. This
> way, if one of the clients moves their domain to a new DNS provider - there
> is no security conflict in the move from shared keys.
>
> (Use a different Key)
>
> And do I have to tell my clients I will sign their zones or it is
> transparent for them?
>
>
> DNSSEC is a good thing - but I'd suggest telling the clients that this is
> happening. DNSSEC usually introduces the need to have extra DNS actions
> happen - even on an otherwise static Zone. Thus - there is more that might
> possibly break. On the other hand, it make resolving items in that zone far
> more secure and allows for newer possibilities such as TLSA records for Web
> and Mail services. I believe the customer should be made aware of all these
> pros and cons.
>
> (Yes)
>
> Thanks a lot again, regards !!!
>
>
>
> El mié., 3 oct. 2018 a las 16:36, Mark Andrews () escribió:
>
>> You give the matching DS record via your registrar much the same way as
>> you do the NS RRset or glue address records.  If your registrar doesn’t
>> support DNSSEC you will need to change registrars.
>>
>> If your parent zone uses CDS or CDNSKEY then publish those records at the
>> zone apex.
>>
>> If your parent zone is not signed then start complaining.
>>
>> --
>> Mark Andrews
>>
>> On 4 Oct 2018, at 05:24, Roberto Carna  wrote:
>>
>> Dear people, I have DNSSEC implemented in my authoritative domain in BIND
>> 9.10. I've created the KSK and ZSK too.
>>
>> Let's say my domain is "robert.com.uk".
>>
>> How do I have to give the KSK (key signing key) to my parent zones, let's
>> say COM and UK ???
>>
>> And what if COM or UK don't use DNSSEC at all ???
>>
>> Thanking in advance,
>>
>> Robert
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Mark James ELKINS  -  Posix Systems - (South) africa...@posix.co.za   
> Tel: +27.128070590  Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-04 Thread Mark Elkins 


On 10/04/2018 05:03 PM, Roberto Carna wrote:
> Hello, thanks to both of you for your help. Now I understand I have to
> contact my registrar in order to give it the DS of the KSK.
>
> Please I have a last question:
>
> I have two DNS servers running BIND 9.10, they have delegated my own
> domain, let's say "robert.com.uk " and some
> other domains from our clients, let's say:
>
> client1.com.uk 
> client2.edu.uk 
> client3.info.uk 
>
> Can I sign theses client zones with my ZSK, or do I have to have a
> different key for each domain?

I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.

(Use a different Key)

> And do I have to tell my clients I will sign their zones or it is
> transparent for them?

DNSSEC is a good thing - but I'd suggest telling the clients that this
is happening. DNSSEC usually introduces the need to have extra DNS
actions happen - even on an otherwise static Zone. Thus - there is more
that might possibly break. On the other hand, it make resolving items in
that zone far more secure and allows for newer possibilities such as
TLSA records for Web and Mail services. I believe the customer should be
made aware of all these pros and cons.

(Yes)

> Thanks a lot again, regards !!!
>
>
>
> El mié., 3 oct. 2018 a las 16:36, Mark Andrews ( >) escribió:
>
> You give the matching DS record via your registrar much the same
> way as you do the NS RRset or glue address records.  If your
> registrar doesn’t support DNSSEC you will need to change registrars.
>
> If your parent zone uses CDS or CDNSKEY then publish those records
> at the zone apex. 
>
> If your parent zone is not signed then start complaining.
>
> -- 
> Mark Andrews
>
> On 4 Oct 2018, at 05:24, Roberto Carna  > wrote:
>
>> Dear people, I have DNSSEC implemented in my authoritative domain
>> in BIND 9.10. I've created the KSK and ZSK too.
>>
>> Let's say my domain is "robert.com.uk ".
>>
>> How do I have to give the KSK (key signing key) to my parent
>> zones, let's say COM and UK ???
>>
>> And what if COM or UK don't use DNSSEC at all ???
>>
>> Thanking in advance,
>>
>> Robert
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-04 Thread Roberto Carna 
Hello, thanks to both of you for your help. Now I understand I have to
contact my registrar in order to give it the DS of the KSK.

Please I have a last question:

I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk" and some other domains from our clients,
let's say:

client1.com.uk
client2.edu.uk
client3.info.uk

Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?

And do I have to tell my clients I will sign their zones or it is
transparent for them?

Thanks a lot again, regards !!!



El mié., 3 oct. 2018 a las 16:36, Mark Andrews () escribió:

> You give the matching DS record via your registrar much the same way as
> you do the NS RRset or glue address records.  If your registrar doesn’t
> support DNSSEC you will need to change registrars.
>
> If your parent zone uses CDS or CDNSKEY then publish those records at the
> zone apex.
>
> If your parent zone is not signed then start complaining.
>
> --
> Mark Andrews
>
> On 4 Oct 2018, at 05:24, Roberto Carna  wrote:
>
> Dear people, I have DNSSEC implemented in my authoritative domain in BIND
> 9.10. I've created the KSK and ZSK too.
>
> Let's say my domain is "robert.com.uk".
>
> How do I have to give the KSK (key signing key) to my parent zones, let's
> say COM and UK ???
>
> And what if COM or UK don't use DNSSEC at all ???
>
> Thanking in advance,
>
> Robert
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-03 Thread Mark Andrews 
You give the matching DS record via your registrar much the same way as you do 
the NS RRset or glue address records.  If your registrar doesn’t support DNSSEC 
you will need to change registrars.

If your parent zone uses CDS or CDNSKEY then publish those records at the zone 
apex. 

If your parent zone is not signed then start complaining.

-- 
Mark Andrews

> On 4 Oct 2018, at 05:24, Roberto Carna  wrote:
> 
> Dear people, I have DNSSEC implemented in my authoritative domain in BIND 
> 9.10. I've created the KSK and ZSK too.
> 
> Let's say my domain is "robert.com.uk".
> 
> How do I have to give the KSK (key signing key) to my parent zones, let's say 
> COM and UK ???
> 
> And what if COM or UK don't use DNSSEC at all ???
> 
> Thanking in advance,
> 
> Robert
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC: give KSK from my domain to parent zones

2018-10-03 Thread Anand Buddhdev 
On 03/10/2018 21:24, Roberto Carna wrote:

Hi Roberto,

> Dear people, I have DNSSEC implemented in my authoritative domain in BIND
> 9.10. I've created the KSK and ZSK too.
> 
> Let's say my domain is "robert.com.uk".
> 
> How do I have to give the KSK (key signing key) to my parent zones, let's
> say COM and UK ???

Typically, you won't submit the KSK, but a hash of it, called a DS
record. You can generate a DS record using the dnssec-dsfromkey tool,
which is part of BIND.

Your domain will be registered through some registrar. You need to log
into your registrar's web interface, and submit your DS record through
that interface. They will transmit the DS record to the COM or UK
registry which will publish the DS record.

> And what if COM or UK don't use DNSSEC at all ???

Well, COM and UK *are* signed. But if the parent isn't signed, then
there's no point in publishing DS records, because there's no way to
validate the chain of trust. In fact, in general unsigned parent zones
will not even accept DS records.

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC: give KSK from my domain to parent zones

2018-10-03 Thread Roberto Carna 
Dear people, I have DNSSEC implemented in my authoritative domain in BIND
9.10. I've created the KSK and ZSK too.

Let's say my domain is "robert.com.uk".

How do I have to give the KSK (key signing key) to my parent zones, let's
say COM and UK ???

And what if COM or UK don't use DNSSEC at all ???

Thanking in advance,

Robert
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users