regarding my OT question for dnssec-keymgmr:

I found it 😊 

I had to enable the python option (Build with python utilities) when building 
the port

 

/BR

Philippe

 

 

 

From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Philippe 
Maechler
Sent: Friday, December 21, 2018 2:33 PM
To: bind-users@lists.isc.org
Subject: FW: Bind9.11: dnssec inline signing, cds records and catalog zones

 

Hello bind-users

 

The previous mail was sent from a foreign address and need the approval of a 
moderator. Therefor I cancelled the submission and resending this mail with the 
correct address.

 

 

Since a few years I’d like to activate dnssec for our zones but didn’t made the 
changes, because of the maintenance tasks that are needed (what happens if I’m 
not around and something goes wrong?)

 

Some background info:

 

There is a small web portal on our master server, where we have all our zones 
in a database. A script periodically checks if we have some changes and if we 
have them, the scripts generates:

*       The catalog-zone file
*       The zone file
*       Our named.zones.conf

 

If dnssec is enabled for the zone, the entry in named.zones.conf looks like 
that:

 

zone "example.ch." { 

        type master; 

        file "/usr/local/etc/namedb/master/example.ch.db";

        masterfile-format text;

        notify yes;

        also-notify { 192.168.x.a; 192.168.x.b; 192.168.x.c; 192.168.x.d;  };

        allow-transfer { xfer; };

 

       # look for dnssec keys here:

        key-directory "/usr/local/etc/namedb/keys/example.ch";

 

        # use inline signing:

        inline-signing yes;

 

        # publish and activate dnssec keys:

        auto-dnssec maintain;

};

 

 

This server is not public. It’s a ā€œhidden masterā€ for our public servers. New 
zones are ā€œdeployedā€ in the cat-zone. With this way we have most of the stuff 
automated and don’t have to enable new zones on the slave servers.

 

Back to dnssec

 

I then have to create the keys:

dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 example.ch           # ZSK

dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk example.ch       # KSK

 

With this setup, I get the example.ch.db.signed, the .signed.jnl and .jbk 
files. A simple check shows that the dnssec records are present

named-compilezone -f raw -F text -o example.ch.text example.ch 
example.ch.db.signed && less example.ch.text

 

I then have to manually insert the NSEC3PARAM, otherwise the zone is ā€œonlyā€ 
signed with NSEC.

rndc signing -nsec3param 1 0 10 0123456789ABCDEF example.ch.

 

Question:

Is there a direct way to set the NSEC3PARAM?

 

Switch, the registry for .ch and .li domains is using/testing CDS records. Can 
I tell named, to create the CDS Records for me?

 

If not, what would be the right way to insert them?

dig @127.0.0.1 dnskey example.ch | dnssec-dsfromkey -f - example.ch

 

example.ch. IN DS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143

example.ch. IN DS 29530 13 2 
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356

 

I then would create these two new records in example.ch:

example.ch. IN CDS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143

example.ch. IN CDS 29530 13 2 
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356

 

And every time I create or activate new keys, I have to manually add the CDS 
records, right?

 

 

 

* The domain used for testing is a .ch domain, but not example.ch

 

 

Maybe someone can help me with this, slightly off topic question:

I’m using FreeBSD 11.2 and bind9.11.5 from the ports dir. ISC announced 
dnssec-keymgr with bind 9.11, which would make the ā€œmaintenance taskā€ doe keys 
easier. 

Unfortunately I can’t find this tool on my box and there is no other port like 
bind9-tools. 

Do I have to compile that by hand?

 

 

Tia

Philippe

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to