Played with OpenDNSSEC - and was a bit disappointed. Actually flew to Sweden and attended the course. It works - but acts like a black box - you don't have any finger-poking ability when things go wrong (for fun - we deleted a key out of the HSM - bad idea!)
I don't like having to run everything Dynamic - which seems to be how ISC and Bind is currently heading. I eventually sat down and wrote a Bash Script. Its periodically called from Cron. It understands Static zones with None (no DNSSEC), NSEC and NSEC3 forms of DNNSEC. It kinda knows what a dynamic zone is - and does mainly hands off. It manages Serial Number detection and Updating via keeping a CheckSum of the zone and comparing/detecting changes - so you can use the script on non-signed zones - just change the Data - it'll update the SOA Serial and do an RNDC RELOAD for you. You can look at it on "www.posixafrica.com" - there is a presentation there as well that I did at an AfriNIC conference. I personally use the script for my primary domain (posix.co.za) and several others. No problems so far.... ZSK's are totally automated, KSK's which generate the DS records are automated if you run Children of parents under your control (Reverse IP addresses!). There is a method of running a command for Parent zones - which could be for example to run an EPP client to update the DS records at the Registry. OpenDNNSEC comes with such a client. You asked about ZSK's - I run a cron driven rollover so no ZSK is more than 34 days old (age of the file holding the key - could be modified to read Meta-Data?). New ZSK's are created every 17 days (old one's deleted). KSK's are never older than about a year - with a new KSK generated every 6 months. I guess this could be modified/customised per zone - but these are very close to the default values. This means you end up with two ZSK's and two KSK's per zone. This could be further modified to remove older Keys after appropriate time delays - but... You should use the Directory structure I suggest - rather - this keeps files more manageable (Directory per zone). I don't put keys into any HSM - kinda waiting on Bind to include a patch to work with Rickard Bellgrim's SoftHSM (now that would be something!) That should one day be workable. On Tue, 2011-10-04 at 19:09 +0000, McConville, Kevin wrote: > I’m new to this list, so please bear with me if these are/seem like > “newbie” questions. > > > > We are currently evaluating a DNSSEC implementation. We have several > static zones that we would like to implement first. We are currently > using ISC Bind 9.7.4 – In the test environment (1) Authoritative dns > server and (1) Resolver dns server, both running RHEL 5.7. We do have > an on-hold Opendnssec server w/softhsm (we are trying to look at the > built-in utilities of isc bind first). > > > > We are trying to make the DNSSEC piece as automatic as possible, so > here are where we are having issues. > > > > 1) Is there any way to have the zsk be auto-generated based upon > the inactive date listed in the zsk meta-data? I know we can > pre-publish and then use dnssec-settime to change the meta-data, but > still very hands-on. > > 2) With a static zone, are the update-policy local and auto-dnssec > maintain options invalid/don’t work? From the docs, they look like > they are only for automation of dynamic zones? > > 3) Are there any ways to automate zone signing and zsk > generation/roll-over with a totally static zone environment? > > 4) What key-management, zone-signing management utilities or > programs have you found useful/helpful? > > > > > > Any suggestions, comments, or questions are greatly appreciated. Thank > you in advance. > > > > Thanks, > > > > -Kevin > > > > Kevin McConville > > University at Albany > > > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Elkins <m...@posix.co.za> Posix Systems _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
