On Fri, 6 Aug 2010, Martin McCormick wrote: > I have started looking at various ways for our > organization to begin using dns-sec as this appears to be a high > management priority and it will eventually become necessary to > operate. We have a fairly simple structure with a official master and > slave with dynamic DHCP continuously updating the zone.
Phil Mayers is right. Use BIND 9.7's built-in automated signing and follow Phil's suggested setup. BIND's DNSSEC support is designed to work well with a zone that is maintained using dynamic updates. Switching from static files to dynamic updates is one of the keys to working well with BIND and DNSSEC. You have already done that so you should feel happy :-) OpenDNSSEC predates BIND's auto-signing functionality, so it has become partly obsolete - but not completely. (As far as I can tell from a couple of looks at its documentation, it does not do large and/or dynamic zones very well. It seems to be designed to cope with spreading the CPU load of signing a very large number of mostly static zones using PKCS#11 crypto hardware.) It also does key management, and BIND does not yet do that for you. All you need to add is a cron job to run dnssec-keygen every so often with the right options. Sadly key management and rollover is still one of the most difficult areas of DNSSEC because there are so many interacting variables to get to grips with and the documentation is poor. For BIND the key things you need to know about are the sig-validity-interval option which controls the lifetime of RRSIG records, and dnssec-settime which sets the lifetime parameters of a DNSKEY. http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing and http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis explain how the parameters interact but are a bit intimidating. I don't know of any tutorials or documents that cut down the parameter space to something managable without sweeping the whole lot under the carpet. You also need to know that there is a lot of obsolete cruft in the dnssec-keygen manual page related to discarded bits of pre-4035 DNSSEC and the only non-trivial options you need to understand are -a -b -3 -e -f. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ WIGHT PORTLAND PLYMOUTH NORTH BISCAY: SOUTHWESTERLY VEERING WESTERLY OR NORTHWESTERLY, 4 OR 5, OCCASIONALLY 6 AT FIRST. MODERATE, OCCASIONALLY ROUGH IN PLYMOUTH AND NORTH BISCAY. RAIN OR SHOWERS, FAIR LATER. MODERATE OR GOOD, OCCASIONALLY POOR. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
