23 Říj
2013
23 Říj
'13
9:20
On Oct 21, 2013, at 22:39 , Matthias-Christian Ott wrote:
So, while I'm well aware that this is not what is currently being planned for
Knot-DNS, this is my view on the topic:
I like simple things. I like tools that do one thing well, rather than too many things
less well. I.e. basically the "Unix tradition" of simple tools together with
powerful mechanisms for combining several tools into more complex operations. For that
reason I like authoritative servers that *only* provide authoritative service, without all
the bells and whistles of dealing with keys, PKCS#11, rollovers, etc. The reason that I
want simple things is that the alternative, i.e. "complex", always carry costs.
Costs in performance, costs in bugs, costs in more potential for misconfiguration, costs
in increased difficulty in maintaining the source without adding new problems, etc, etc.
In fact, I prefer an authoritative servers that simply does not modify the zone, i.e. only
serves the data. Full stop. I.e. the ultimate "slave server". (I also want the
ultimate master server).
Another thing I don't like is to have to modify an established and debugged process,
especially one which involves humans, custom scripts and other stuff that breaks. Today
the design with a "master" where zone changes are applied (regardless of whether
it is by reloading a zone file, applying dynamic updates or generating from some other
sournce) followed by zone transfer to "slaves" that don't modify contents
and only serve the stuff is very well established.
To switch this design to use DNSSEC the minimal change is to add a "signer" as a
bump-on-the-wire between "master" and "slaves". No change to the
master and the only change to the slaves are that they need to source the zone from the
signer instead of the master.
I.e. from my point-of-view the design that you apparently don't like IS the simplest
solution, in particular as you're dependent on dynamic updates. In particular these
days when the cost of a "hidden master" is basically zero, as that's just
another virtual machine somewhere.
That is not to say that OpenDNSSEC is simple (it is not). I'd really like to have good
alternatives for the "signer" component and if NIC.CZ could be tickled to look
into a separate "signer" as opposed to adding all the signer complexity into the
standard authoritative server which is Knot-DNS then I'd be delighted. But right now
the plan seems to be to emulate everything BIND9 does, both the good parts and the bad
(except the recursive part obviously).
But, this said, I really, really don't want this to be read as a complaint. I really
like Knot-DNS and have great hopes for it. Everyone is obviously entitled to develop
whathever they want. So, if what I want is different from what others want, the onus is
basically on me to put down the hours or the money to get what I want. Which I haven't
done.
Regards,
Johan
Could you
please describe what are you trying to achieve (without going into implementation
details)?
I have a handful of zones, I want to use dynamic updates while the zones
are DNSSEC signed. DNSSEC is complicated enough so I want to eliminate
any manual work (key rollover, resigning etc.) — humans make mistakes
and I don't need this for DNS :). Knot DNS can't execute custom binaries
(XML-RPC call against the API of the registrar to replace keys on KSK
rollover) and (as far as I understand from the documentation) doesn't
perform any automatic KSK rollover. It seems OpenDNSSEC can do what I
want. However, it requires a hidden primary which accepts the updates,
transfers the zones to OpenDNSSEC which in turn transfers the zones to a
slave that finally serves the zones. This is a quite complex setup
(especially because most init scripts only support one instance of a
daemon and two DNS servers are required on the same machine).
Is there a simpler solution? Is a hidden primary really the only
possible architecture? Do you think Knot DNS or any DNS server that
accepts dynamic updates can sign zones via OpenDNSSEC differently (e.g.
removing all signatures before it transfers the zones to OpenDNSSEC)?
Are there perhaps alternatives to OpenDNSSEC that can do what I want (I
guess not, except extending Knot DNS to support automatic KSK rollovers,
executing custom scripts and binaries and possibly PKCS#11)?