On Thu, Jul 10, 2008 at 10:22 AM, Wes Hardaker <[EMAIL PROTECTED]> wrote: >>>>>> On Wed, 9 Jul 2008 22:55:05 -0400, "Christopher Morrow" <[EMAIL >>>>>> PROTECTED]> said: > >>>> aside from just getting some cctlds signed, i will be interested in the >>>> tools, usability, work flow, ... i.e. what is it like for a poor >>>> innocent cctld which wants to sign their zone? >>> >>> If there is sufficient interest, we could do a bar bof to describe some of >>> the tools IANA has... >>> > > CM> I think Sandy Murphy or other Sparta folks have presented some of the > CM> work they've done on this... Perhaps finding one/some of them and > CM> having a more operations focused presentation in LAX or ... is a good > CM> idea as well? > > The tools that Sparta developed (and made freely available via an open > source packaged that is BSD licensed) can be found at > http://www.dnssec-tools.org/ . In particular, signing a zone is
yup, and that's helpful stuff. > intended to be easy using "zonesigner" (requires bind tools): > > zonesigner -genkeys db.example.com > great... what about a zone that's getting slaved off of a silent master at the customer site? how does that get integrated? (customer does the dns-sec magic, my server validates the updates... config examples help here) > Then next time, just leave off the -genkeys argument. > > (there is also a daemon called "rollerd" that can auto-sign on a regular > basis and help automate key-rollever timing) > nice, extra load induced on server? impact on the number of zones I can serve? tinydns compatible? db-backended NS daemon support? > The full list of tools and tutorials sectioned into different needs can > be found here: > > http://www.dnssec-tools.org/wiki/index.php/Tutorials > great :) > > All for free. Don't you hate those ??biased??, freely-available, > source-code-supplied-so-you-can-change-it, BSD-licensed open source > packages? > -- I like free... as long as it's the hammer I need for the nails I have. -Chris
