>>>>> On Wed, 13 Aug 2008 19:21:44 +0200, Ralf Weber <[EMAIL PROTECTED]> said:
RW> Hmm, assuming that we both did use the same name server software my
RW> experiences are different. Compared to regular DNS setting up and more
RW> importantly maintaining DNSSEC is much more work than normal DNS stuff
RW> (zone resigning, key rollover) . I am not saying that the cost
RW> generally outweighs the benefit, but with the current tools it is
RW> hard to justify DNSSEC usage, at least for the majority of ISPs out
RW> there. But I do hope that the tools get better and thus the cost of
RW> deploying DNSSEC decreases and we will all happily use it and can
RW> justify it's usage.
I suspect there are many different tools out there and some are easier
than others. Here's a screen dump of stuff that works easily for me:
# yum install dnssec-tools
# head example.com
$TTL 3600
; File written on Thu Dec 23 14:13:02 2004
; dnssec_signzone version 9.3.0
example.com. 600 IN SOA test.example.com. admin.example.com. (
2004121002 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
600 ; minimum (10 minutes)
)
# zonesigner -genkeys example.com
if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)
zone signed successfully
example.com:
KSK (cur) 36712 -b 2048 08/13/08 (example.com-signset-3)
ZSK (cur) 01857 -b 1024 08/13/08 (example.com-signset-1)
ZSK (pub) 53523 -b 1024 08/13/08 (example.com-signset-2)
zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
# cp example.com.signed /etc/named/
# rndc reload
Oh wait... i need another record and need to resign...
# echo "test.example.com. 1D IN A 127.0.0.1" >> example.com
# zonesigner example.com
if zonesigner appears hung, strike keys until the program completes
(see the "Entropy" section in the man page for details)
zone signed successfully
example.com:
KSK (cur) 36712 -b 2048 08/13/08 (example.com-signset-3)
ZSK (cur) 01857 -b 1024 08/13/08 (example.com-signset-1)
ZSK (pub) 53523 -b 1024 08/13/08 (example.com-signset-2)
zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
# cp example.com.signed /etc/named/
# rndc reload
Not too hard really. The only thing you need to add to your current
step for distributing a zone is one new line (the zonesigner line). The
hardest thing you need to do, IMHO, is make sure you redistribute a new
zone before the current set of stuff expires. IE, publish it once a
month (using the default setup shown above). And if that's the hardest
thing for me to do then I don't consider that hard.
--
"In the bathtub of history the truth is harder to hold than the soap,
and much more difficult to find." -- Terry Pratchett
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
