Re: private trust anchor

Mark Andrews Sun, 10 Feb 2013 15:40:57 -0800

In message <20130210225742.ga9...@bewilderbeast.blackhelicopters.org>, "Michael
 W. Lucas" writes:
> Hi,
> 
> Is there a way to set up a private trust anchor for internal-only
> zones with BIND 9.9?
> 
> I have some local and RFC1918 zones that I'd like to secure. It seems
> I should be able to configure a private trust anchor and use that key
> to sign these zones.
> 
> I've found, related docs, like draft-jabley-dnssec-trust-anchor-06,
> which has great gobs of theory, but nothing on how to actually do this
> with BIND.
> 
> Has anyone done this? Or is this just daft?
> 
> Thanks,
> ==ml


This is no different than creating any other island of trust.

You generate the keys for the zone.  For IN-ADDR.ARPA zones there
is no point in using NSEC3.

        dnssec-keygen -K /var/named/keys 10.in-addr.arpa
        dnssec-keygen -K /var/named/keys -f KSK 10.in-addr.arpa

You add the keys to the zone.

You sign the zone and arrange for named to re-sign the zone
automatically for you.  You can use "inline-signing yes;" or configure
the zone to accept dynamic updates.

        options {
                key-directory "/var/named/keys";
        };

        zone 10.in-addr.arpa {
                type master;
                file "master/10.in-addr.arpa";
                auto-dnssec maintain;
                update-policy local;
        };

        rndc signzone 10.in-addr.arpa

You add trusted keys clauses to your recursive servers.

        trusted-keys {
                10.in-addr.arpa <KSK info>;
        };

> -- 
> Michael W. Lucas      
> http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
> Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
> mwlu...@michaelwlucas.com, Twitter @mwlauthor
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: private trust anchor

Reply via email to