knot 2.3.0-3: Automatic DNSSEC signing: Current limitations and creating trusted-keys { ... }
20 Říj
2016
20 Říj
'16
13:57
Hi all,
I'm running {knot,knot-dnsutils} 2.3.0-3~bpo8+1 out of Debian
jessie-backports, and enabled automatic DNSSEC signing, which works
great!
I've got two question, as per the subject:
- According to [1], "KSK rollover is not implemented.". Does this mean,
if the key was created and exists, then currently knot doesn't change
/ rollover the KSK? Is it safe to assume, that as long one is using
this version, the key stays the same?
- I'm running Unbound to do resolving and forwarding some forward and
corresponding reverse zones to knot. To make DNSSEC work, I've created
a trusted-keys { ... } file with all the KSK created and used by /
with knot. Right now, I've created this file manually, using
$ keymgr zone key show ...
and
$ cat $name_of_zone.json
and putting it all together.
Right now, is there a tool / utility / command which does this
already?
TIA and all the best,
Georg
[1] https://www.knot-dns.cz/docs/2.x/html/configuration.html#limitations
21 Říj
21 Říj
13:53
Hi Georg,
----- Original Message -----
From: georg(a)riseup.net
To: "knot-dns-users" <knot-dns-users(a)lists.nic.cz>
Sent: Thursday, 20 October, 2016 13:57:00
Subject: [knot-dns-users] knot 2.3.0-3: Automatic DNSSEC signing: Current limitations and
creating trusted-keys { ... }
Hi all,
I'm running {knot,knot-dnsutils} 2.3.0-3~bpo8+1 out of Debian
jessie-backports, and enabled automatic DNSSEC signing, which works
great!
I've got two question, as per the subject:
- According to [1], "KSK rollover is not implemented.". Does this mean,
if the key was created and exists, then currently knot doesn't change
/ rollover the KSK? Is it safe to assume, that as long one is using
this version, the key stays the same?
Yes, the KSK will not change. We have plans to support KSK rollover,
but it have to be either manually triggered, or configured first
(in case we also implement some kind of automated DS upload).
- I'm running Unbound to do resolving and
forwarding some forward and
corresponding reverse zones to knot. To make DNSSEC work, I've created
a trusted-keys { ... } file with all the KSK created and used by /
with knot. Right now, I've created this file manually, using
$ keymgr zone key show ...
and
$ cat $name_of_zone.json
and putting it all together.
Right now, is there a tool / utility / command which does this
already?
Not exactly :), but we are improving the keymgr utility
step by step. Right now you can use this:
ZONE=sury.org
keymgr zone key list $ZONE | cut -f 2 -d ' ' | xargs -i sh -c "if keymgr zone
key show $ZONE {} | grep -q 'flags 257'; then keymgr zone key ds $ZONE {};
fi"
to print DS records for zone KSK.
I've filled an issue for further keymgr improvements, feel free to add your ideas
there:
https://gitlab.labs.nic.cz/labs/knot/issues/480
Cheers,
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
18:08
(I'm subscribed to the list, please don't Cc: me.)
Hi Ondřej,
Thanks for your fast reply and the clarification:
On 16-10-21 13:53:55, Ondřej Surý wrote:
Not exactly :), but we are improving the keymgr
utility
step by step. Right now you can use this:
ZONE=sury.org
keymgr zone key list $ZONE | cut -f 2 -d ' ' | xargs -i sh -c "if keymgr
zone key show $ZONE {} | grep -q 'flags 257'; then keymgr zone key ds $ZONE {};
fi"
to print DS records for zone KSK.
Thanks for this!
I've filled an issue for further keymgr
improvements, feel free to add
your ideas there:
https://gitlab.labs.nic.cz/labs/knot/issues/480
So I did!
Thanks, all the best and cheers,
Georg
22 Říj
22 Říj
14:20
New subject: knot 2.3.0-3: Automatic DNSSEC signing: Current limitations and creating trusted-keys { ... }
Hi,
Yes, the KSK will not change. We have plans to
support KSK rollover,
but it have to be either manually triggered, or configured first
(in case we also implement some kind of automated DS upload).
any plans about the automated upload? Perhaps make a script call and pass data via stdin?
Please keep in mind, that you must be able to choose DNSKEY upload too, as of there are
registries / registrars that require DNSKEY instead of DS.
If you implement this kind of upload I'm going to test it and provide a script that
can be used with the API of one registrar (that will require DNSKEY btw).
Regards,
Volker
24 Říj
24 Říj
15:47
New subject: knot 2.3.0-3: Automatic DNSSEC signing: Current limitations and creating trusted-keys { ... }
Volker,
----- Original Message -----
From: "Volker Janzen" <voja(a)voja.de>
To: "knot-dns-users" <knot-dns-users(a)lists.nic.cz>
Sent: Saturday, 22 October, 2016 14:20:29
Subject: Re: [knot-dns-users] knot 2.3.0-3: Automatic DNSSEC signing: Current limitations
and creating trusted-keys {
... }
Hi,
No definitive "plans" yet, but this is certainly something we will
consider when designing the automated KSK rollover.
Yes, the KSK will not change. We have plans to
support KSK rollover,
but it have to be either manually triggered, or configured first
(in case we also implement some kind of automated DS upload).
any plans about the automated upload? Perhaps make a script call and pass data
via stdin? Please keep in mind, that you must be able to choose
DNSKEY upload too, as of
there are registries / registrars that require DNSKEY instead of DS.
Sure, CZ.NIC (.CZ) is one of those registries that require DNSKEY.
If you implement this kind of upload I'm going to
test it and provide a script
that can be used with the API of one registrar (that will require DNSKEY btw).
Thanks, we will provide a design document before we start working
on this to the community and we would welcome your comments on it.
This won't happen till next year though, our TODO list is quite
full.
Cheers,
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
26 Říj
26 Říj
17:55
On 24 October 2016 at 09:47, Ondřej Surý <ondrej.sury(a)nic.cz> wrote:
Volker,
If you are considering an automated mechanism for updating registrars, I'd
suggest some sort of plugin mechanism so that it's easy for operators to
implement against their own registrar's flavour of API.. or against their
own pre-existing internal tools.
If you are considering shipping some complete plugins, I'd humbly ask you
to consider <
https://datatracker.ietf.org/doc/draft-ietf-regext-dnsoperator-to-rrr-proto…gt;.
:)
any plans about the automated upload? Perhaps
make a script call and
pass data
via stdin?
No definitive "plans" yet, but this is certainly something we will
consider when designing the automated KSK rollover.
2979
days inactive
2985
days old
5 comments
4 participants
participants (4)
-
georg@riseup.net -
Matthew Pounsett -
Ondřej Surý -
Volker Janzen