regarding my OT question for dnssec-keymgmr:
I found it š
I had to enable the python option (Build with python utilities) when building
the port
/BR
Philippe
From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Philippe
Maechler
Sent: Friday, December 21, 2018 2:33 PM
To: bind-users@lists.isc.org
Subject: FW: Bind9.11: dnssec inline signing, cds records and catalog zones
Hello bind-users
The previous mail was sent from a foreign address and need the approval of a
moderator. Therefor I cancelled the submission and resending this mail with the
correct address.
Since a few years Iād like to activate dnssec for our zones but didnāt made the
changes, because of the maintenance tasks that are needed (what happens if Iām
not around and something goes wrong?)
Some background info:
There is a small web portal on our master server, where we have all our zones
in a database. A script periodically checks if we have some changes and if we
have them, the scripts generates:
* The catalog-zone file
* The zone file
* Our named.zones.conf
If dnssec is enabled for the zone, the entry in named.zones.conf looks like
that:
zone "example.ch." {
type master;
file "/usr/local/etc/namedb/master/example.ch.db";
masterfile-format text;
notify yes;
also-notify { 192.168.x.a; 192.168.x.b; 192.168.x.c; 192.168.x.d; };
allow-transfer { xfer; };
# look for dnssec keys here:
key-directory "/usr/local/etc/namedb/keys/example.ch";
# use inline signing:
inline-signing yes;
# publish and activate dnssec keys:
auto-dnssec maintain;
};
This server is not public. Itās a āhidden masterā for our public servers. New
zones are ādeployedā in the cat-zone. With this way we have most of the stuff
automated and donāt have to enable new zones on the slave servers.
Back to dnssec
I then have to create the keys:
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 example.ch # ZSK
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk example.ch # KSK
With this setup, I get the example.ch.db.signed, the .signed.jnl and .jbk
files. A simple check shows that the dnssec records are present
named-compilezone -f raw -F text -o example.ch.text example.ch
example.ch.db.signed && less example.ch.text
I then have to manually insert the NSEC3PARAM, otherwise the zone is āonlyā
signed with NSEC.
rndc signing -nsec3param 1 0 10 0123456789ABCDEF example.ch.
Question:
Is there a direct way to set the NSEC3PARAM?
Switch, the registry for .ch and .li domains is using/testing CDS records. Can
I tell named, to create the CDS Records for me?
If not, what would be the right way to insert them?
dig @127.0.0.1 dnskey example.ch | dnssec-dsfromkey -f - example.ch
example.ch. IN DS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143
example.ch. IN DS 29530 13 2
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356
I then would create these two new records in example.ch:
example.ch. IN CDS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143
example.ch. IN CDS 29530 13 2
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356
And every time I create or activate new keys, I have to manually add the CDS
records, right?
* The domain used for testing is a .ch domain, but not example.ch
Maybe someone can help me with this, slightly off topic question:
Iām using FreeBSD 11.2 and bind9.11.5 from the ports dir. ISC announced
dnssec-keymgr with bind 9.11, which would make the āmaintenance taskā doe keys
easier.
Unfortunately I canāt find this tool on my box and there is no other port like
bind9-tools.
Do I have to compile that by hand?
Tia
Philippe
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
