regarding my OT question for dnssec-keymgmr:

I found it šŸ˜Š 

I had to enable the python option (Build with python utilities) when building 
the port

 

/BR

Philippe

 

 

 

From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Philippe 
Maechler
Sent: Friday, December 21, 2018 2:33 PM
To: bind-users@lists.isc.org
Subject: FW: Bind9.11: dnssec inline signing, cds records and catalog zones

 

Hello bind-users

 

The previous mail was sent from a foreign address and need the approval of a 
moderator. Therefor I cancelled the submission and resending this mail with the 
correct address.

 

 

Since a few years Iā€™d like to activate dnssec for our zones but didnā€™t made the 
changes, because of the maintenance tasks that are needed (what happens if Iā€™m 
not around and something goes wrong?)

 

Some background info:

 

There is a small web portal on our master server, where we have all our zones 
in a database. A script periodically checks if we have some changes and if we 
have them, the scripts generates:

*       The catalog-zone file
*       The zone file
*       Our named.zones.conf

 

If dnssec is enabled for the zone, the entry in named.zones.conf looks like 
that:

 

zone "example.ch." { 

        type master; 

        file "/usr/local/etc/namedb/master/example.ch.db";

        masterfile-format text;

        notify yes;

        also-notify { 192.168.x.a; 192.168.x.b; 192.168.x.c; 192.168.x.d;  };

        allow-transfer { xfer; };

 

       # look for dnssec keys here:

        key-directory "/usr/local/etc/namedb/keys/example.ch";

 

        # use inline signing:

        inline-signing yes;

 

        # publish and activate dnssec keys:

        auto-dnssec maintain;

};

 

 

This server is not public. Itā€™s a ā€œhidden masterā€ for our public servers. New 
zones are ā€œdeployedā€ in the cat-zone. With this way we have most of the stuff 
automated and donā€™t have to enable new zones on the slave servers.

 

Back to dnssec

 

I then have to create the keys:

dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 example.ch           # ZSK

dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk example.ch       # KSK

 

With this setup, I get the example.ch.db.signed, the .signed.jnl and .jbk 
files. A simple check shows that the dnssec records are present

named-compilezone -f raw -F text -o example.ch.text example.ch 
example.ch.db.signed && less example.ch.text

 

I then have to manually insert the NSEC3PARAM, otherwise the zone is ā€œonlyā€ 
signed with NSEC.

rndc signing -nsec3param 1 0 10 0123456789ABCDEF example.ch.

 

Question:

Is there a direct way to set the NSEC3PARAM?

 

Switch, the registry for .ch and .li domains is using/testing CDS records. Can 
I tell named, to create the CDS Records for me?

 

If not, what would be the right way to insert them?

dig @127.0.0.1 dnskey example.ch | dnssec-dsfromkey -f - example.ch

 

example.ch. IN DS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143

example.ch. IN DS 29530 13 2 
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356

 

I then would create these two new records in example.ch:

example.ch. IN CDS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143

example.ch. IN CDS 29530 13 2 
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356

 

And every time I create or activate new keys, I have to manually add the CDS 
records, right?

 

 

 

* The domain used for testing is a .ch domain, but not example.ch

 

 

Maybe someone can help me with this, slightly off topic question:

Iā€™m using FreeBSD 11.2 and bind9.11.5 from the ports dir. ISC announced 
dnssec-keymgr with bind 9.11, which would make the ā€œmaintenance taskā€ doe keys 
easier. 

Unfortunately I canā€™t find this tool on my box and there is no other port like 
bind9-tools. 

Do I have to compile that by hand?

 

 

Tia

Philippe

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to