On Wed, 2012-02-01 at 17:18 -0500, Michael W. Lucas wrote: > Hi, > > I'd put off DNSSEC because of the high maintenance requirement. But > with 9.9 and inline signing, it looks like I can now do DNSSEC the way > I need (static zone files that work with legacy tools, automatic key > rotation, etc.) > > I see that 9.9-rc2 came out yesterday; I'm building it now, but I > don't see anything in the relnotes that tells me this has > changed. Unfortunately, I'm trying to figure out how to use DNSSEC > inline signing from the Internet's ten years of DNSSEC tutorials, none > of which exactly cover this setup. And the ARM isn't quite updated for > this yet. > > If someone is kind enough to help me figure out DNSSEC, I'll happily > blog it for the next guy who comes along. I'm sure I won't be the > last... > > My understanding of the process is: > > 1) create KSK and ZSK > > nstest/etc/namedb/keys;dnssec-keygen -f KSK -a RSASHA1 -b 768 -n ZONE > transnetworks.net > Generating key > pair.........................................................++++++++ > .++++++++ > Ktransnetworks.net.+005+54607 > nstest/etc/namedb/keys;dnssec-keygen -a RSASHA1 -b 768 -n ZONE > transnetworks.net > Generating key pair......................................++++++++ > ..................++++++++ > Ktransnetworks.net.+005+51087 >
As others have said....
When I create a Zone-Signing-Key (ZSK) - I use...
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE posix.co.za
When I create a Key-Signing-key (KSK) - I use...
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK posix.co.za
Use the "RSASHA256" algorithm. You are probably going to otherwise have
to switch to using it one day anyway - and "algorithm" rollovers are
more complicated than key rollovers. Also doesn't matter if you use NSEC
or NSEC3
I have a 2048 byte Key Signing key - I expect to use the same key for a
year (and not so easy to roll-over - depending on parents). I have a
1024 byte Zone Signing key - I only expect to have it for about one
month (and its easy to roll-over locally).
The default random device is /dev/random. This device will hang the
signing program if there is not enough random data to be fed from - so
you might want to add "-r /dev/urandom" to rather use the Pseudo Random
device -or- install "haveged" which is a random generator daemon which
feeds random into /dev/ramdom (at least on my gentoo linux box!)
(or get a true random number generator USB dongle!)
Oh - and Bind needs to be able to find the keys, why not create them in
the same directory as the zone file...
I now have a separate directory for each zone file, where the
appropriate keys can also be found as in....
zone "posix.co.za" {
type master;
file "pri/posix.co.za/db.posix.co.za";
key-directory "pri/posix.co.za";
auto-dnssec maintain;
inline-signing yes;
}
Hope these suggestions help.
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
