Some dnssec-signzone questions
I have three questions regarding dnssec-signzone: To clarify things, I'm using BIND 9.7.2-P2. First is about input file: you can specify on the command line either the signed version of the zone, or the unsigned one. What I'd like to do hovever, is to use both. The unsigned zone is much more readable, and can contain $INCLUDE directives, which makes modification easier. But specifying the signed zone has added benefit of reusing existing signatures, thus saving on computation time (not that I have a lot to save on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed zone, try to reuse RRSIG records as much as possible, taking them from signed zone, and write the result. Is this possible with dnssec-signzone? Other than writing a custom tool to filter only NSEC/RRSIG records from .signed and appending this file to unsigned zone? Which might not be that hard, probably a simple sed script would do. Another is about key management and -S option: Guessing by what I've read in the man page -S should use key metadata to decide when to include/exclude/use/revoke the key. However, I've been unable to make it work. I have 2 KSK keys, one of them set to revoke in the past, as dnssec-settime kindly tells me. But, when I do dnssec-signzone -S on the unsigned file, I get error message: dnssec-signzone: fatal: cannot find DNSKEY RRSIGs and nothing is signed. dnssec-signzone without -S can properly sign the zone, ignoring revokation time. Then, I do dnssec-signzone -S on the signed file, which only retains old signatures, also happily ignoring revokation time. What am I doing wrong, why it fails to behave as I'd expect? Third is about -N option: a well established practice (although I don't know what was the origin) is to set SOA serial number to eg 2011020101, which is current day and two-digit of daily version. This has benefit of being almost as good as putting unixtime of last modification, while being much more human-readable. How difficult would it be to implement this for dnssec-signzone -N, using a fourth format specifier? Regards, Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On Tue, 1 Feb 2011, Torinthiel wrote: To clarify things, I'm using BIND 9.7.2-P2. First is about input file: you can specify on the command line either the signed version of the zone, or the unsigned one. What I'd like to do hovever, is to use both. The unsigned zone is much more readable, and can contain $INCLUDE directives, which makes modification easier. But specifying the signed zone has added benefit of reusing existing signatures, thus saving on computation time (not that I have a lot to save on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed zone, try to reuse RRSIG records as much as possible, taking them from signed zone, and write the result. see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs only) combined with -n (dont print soa) for one of them. Basically run the signed zone through ldns-read-zone -s, concatenate it with your unsigned zone, and run it through dnssec-signzone. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On Tue, 1 Feb 2011, Torinthiel wrote: Third is about -N option: a well established practice (although I don't know what was the origin) is to set SOA serial number to eg 2011020101, which is current day and two-digit of daily version. This has benefit of being almost as good as putting unixtime of last modification, while being much more human-readable. How difficult would it be to implement this for dnssec-signzone -N, using a fourth format specifier? It's not hard. See my bind-users post of Oct 15 with subject: more flexible serial number handling in dnssec-signzone Since then I've quit using the serial number fiddling ability of dnssec-signzone. The problem is that it doesn't increment the serial number in the unsigned file, so future uses of "dnssec-signzone -N" could result with the same or even lower values. Instead, I created a zap-serial tool to zap the serial number in place within the unsigned zone file, either to a new literal value or incrementing the old number. My DNSSEC-related processes now zap the serial number before signing with dnssec-signzone. You can find the C source for zap-serial & some possibly useful other DNSSEC-related scripts here (at least for now): http://seatpost.its.uiowa.edu/bind_stuff Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On 02/01/11 19:44, Paul Wouters wrote: > On Tue, 1 Feb 2011, Torinthiel wrote: > >> >> To clarify things, I'm using BIND 9.7.2-P2. >> >> First is about input file: you can specify on the command line either >> the >> signed version of the zone, or the unsigned one. >> What I'd like to do hovever, is to use both. >> The unsigned zone is much more readable, and can contain $INCLUDE >> directives, >> which makes modification easier. >> But specifying the signed zone has added benefit of reusing existing >> signatures, thus saving on computation time (not that I have a lot to >> save >> on ;). So, I'd like dnssec-signzone to take 'normal' records from >> non-signed >> zone, try to reuse RRSIG records as much as possible, taking them from >> signed zone, and write the result. > > see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs > only) > combined with -n (dont print soa) for one of them. Thanks, nice tool. I'd have to look at ldns-* as I've only used drill from ldns packages. > > Basically run the signed zone through ldns-read-zone -s, concatenate it > with your unsigned zone, and run it through dnssec-signzone. Or have a script that either strips the data from signed zone or creates an empty file and then $INCLUDE that file in original unsigned zone. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On 02/01/11 22:13, Jay Ford wrote: > On Tue, 1 Feb 2011, Torinthiel wrote: >> Third is about -N option: >> a well established practice (although I don't know what was the >> origin) is >> to set SOA serial number to eg 2011020101, which is current day and >> two-digit of daily version. This has benefit of being almost as good as >> putting unixtime of last modification, while being much more >> human-readable. >> How difficult would it be to implement this for dnssec-signzone -N, >> using a >> fourth format specifier? > > It's not hard. See my bind-users post of Oct 15 with subject: >more flexible serial number handling in dnssec-signzone > > Since then I've quit using the serial number fiddling ability of > dnssec-signzone. The problem is that it doesn't increment the serial > number > in the unsigned file, so future uses of "dnssec-signzone -N" could result > with the same or even lower values. Yes, that's a problem. Combined with ldns-read-zone and answer to my first question this could make dnssec-signzone read the good SOA record. I was also thinking of simply changing it by sed in a script. > > Instead, I created a zap-serial tool to zap the serial number in place > within > the unsigned zone file, either to a new literal value or incrementing > the old > number. My DNSSEC-related processes now zap the serial number before > signing > with dnssec-signzone. You can find the C source for zap-serial & some > possibly useful other DNSSEC-related scripts here (at least for now): >http://seatpost.its.uiowa.edu/bind_stuff Nice set of scripts. I was thinking of writing my own with probably similar functionality, but I'll start with those. Main difference is that I don't store keys online, so I'd like the scripts to notify me that signing is necessary instead of signing. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users