22 Říj
2013
22 Říj
'13
7:57
Hi Matthias-Christian,
we are certainly working on ZSK rollovers, KSK rollovers (we would like to support
Warren's CDS/CDNSKEY proposal[1]) and PKCS#11, but it's going to take same time.
But I think it will be delivered sooner (my rough guess is mid 2014) than there will be
need to roll the keys (there's really no strong need to roll neither the ZSK nor the
KSK for crypto reasons if you pick the strong enough key sizes).
For alternative solution I would propose to look at OpenDNSSEC 1.4.x. As far as I
remember there was a plan to support dynamic updates in 1.4.x (or maybe it was 2.0.x?).
But to tell the truth I will be dropping OpenDNSSEC for my (personal) zones as soon as the
DNSSEC support stabilizes (e.g. when we release Knot DNS 1.4.0 final).
Cheers,
Ondrej
1. http://tools.ietf.org/html/draft-kumari-ogud-dnsop-cds-05
On 21. 10. 2013, at 22:39, Matthias-Christian Ott <ott(a)mirix.org> wrote:
On 2013-10-21 10:05, Ondřej Surý wrote:
--
Ondřej Surý -- Chief Science Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.sury@nic.cz http://nic.cz/
tel:+420.222745110 fax:+420.222745112
-------------------------------------------
Hi Matthias-Christian,
Hi Ondřej,
we would be happy to help you, but you didn't
state your problem.
Could you please describe what are you trying to achieve (without going into
implementation details)?
I have a handful of zones, I want to use dynamic updates while the zones
are DNSSEC signed. DNSSEC is complicated enough so I want to eliminate
any manual work (key rollover, resigning etc.) — humans make mistakes
and I don't need this for DNS :). Knot DNS can't execute custom binaries
(XML-RPC call against the API of the registrar to replace keys on KSK
rollover) and (as far as I understand from the documentation) doesn't
perform any automatic KSK rollover. It seems OpenDNSSEC can do what I
want. However, it requires a hidden primary which accepts the updates,
transfers the zones to OpenDNSSEC which in turn transfers the zones to a
slave that finally serves the zones. This is a quite complex setup
(especially because most init scripts only support one instance of a
daemon and two DNS servers are required on the same machine).
Is there a simpler solution? Is a hidden primary really the only
possible architecture? Do you think Knot DNS or any DNS server that
accepts dynamic updates can sign zones via OpenDNSSEC differently (e.g.
removing all signatures before it transfers the zones to OpenDNSSEC)?
Are there perhaps alternatives to OpenDNSSEC that can do what I want (I
guess not, except extending Knot DNS to support automatic KSK rollovers,
executing custom scripts and binaries and possibly PKCS#11)?
Regards,
Matthias-Christian
On 20. 10. 2013, at 15:55, Matthias-Christian Ott
<ott(a)mirix.org> wrote:
> Hi,
>
> without DNS UPDATE OpenDNSSEC can be configured to read an unsigned zone
> file, sign it and reload the zone [1]. With DNS UPDATE it gets more
> complicated. It seems that you have to run a hidden primary that
> receives that updates and transfers the unsigned zones to OpenDNSSEC
> which in turn transfers the zones to a slave server. There are some
> alternatives if you manipulate zone files with custom scripts.
>
> While a hidden primary may be acceptable and zone transfers are probably
> the most reliable solution, it is an overkill for my use case and adds
> to much complexity. I could use Knot DNS to sign the zones, but it
> doesn't automate KSK rollovers and I need to execute a custom binary to
> update the keys at the registrar which is also not supported. Perhaps
> Knot DNS could remove all DNSSEC RRs before it transfers the zone to
> OpenDNSSEC, but it's kind of a hack and I'm not sure if this a good idea.
>
> OpenDNSSEC also delayed support for dynamic updates to 2.x, which means
> 2014 and or later. So this is not an option.
>
> Does anyone have suggestions to solve this problem?
>
> Regards,
> Matthias-Christian
>
> [1] http://www.bortzmeyer.org/opendnssec-nsd.html