DNSSEC with 9.7.2-P2
Ian Tait
ian.t at thoughtbubble.net
Sat Nov 13 00:54:46 UTC 2010
Lads,
Isn't this getting ridiculous?
Is this the future of DNSSEC?
Ian
-----Original Message-----
From: bind-users-bounces+ian.t=thoughtbubble.net at lists.isc.org
[mailto:bind-users-bounces+ian.t=thoughtbubble.net at lists.isc.org] On
Behalf Of Mark Andrews
Sent: 13 November 2010 00:36
To: Phil Mayers
Cc: bind-users at lists.isc.org
Subject: Re: DNSSEC with 9.7.2-P2
In message <4CDD6467.9050708 at imperial.ac.uk>, Phil Mayers writes:
> On 12/11/10 15:45, Lightner, Jeff wrote:
>
> > For Production (RPM based system) you should use RHEL or CentOS
> > which has a much longer life cycle. (Speaking of which, RHEL6 was
> > just put in
>
> I don't agree with your line of reasoning. RHEL may have longer update
> cycles, but there's no guarantee a particular RHEL install will be
> applying updates in real-time, so the keys in the dnssec-conf package
> may still get out of date, or a RHEL install may run after it's 5-year
> update cycle ends.
>
> I think the dnssec-conf package should have had a nightly cron job to
> refresh these keys, and it was a mistake to deploy without such.
>
> Just my opinion of course.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
I use the following scripts (update-trusted-keys and
commit-trusted-keys) to manage my trust anchors. I run
update-trusted-keys nightly from cron and manually update when I get
email that there has been a change.
update-trusted-keys replaces the trust anchor when the tld gets a DS
record added to the root zone. With no arguements it just updates the
current list of zones listed is /etc/trusted-keys.
To bootstrap the process run it with a "." and the TLDs.
e.g.
/etc/update-trusted-keys . br org com net ....
and then add a include line to each zone to /etc/named.conf.
e.g.
include "/etc/trusted-keys/ROOT";
include "/etc/trusted-keys/br";
include "/etc/trusted-keys/org";
include "/etc/trusted-keys/com";
include "/etc/trusted-keys/net";
Mark
/etc/update-trusted-keys:
#!/bin/sh -f
#
# The directory containing the trusted keys.
#
d=/etc/trusted-keys
# If we havn't been given a list of zones then get the list
# of zones from trusted-keys directory excluding files that
# may have been the result of mapping the zone name to something
# suitable for the file system.
#
if test ! -n "$*"
then
set `ls "${d}/" | grep -v .new | grep -v _ | sed 's/^ROOT$/./'`
fi
#
# For each zone attempt to get the DNSKEY RRset. This will be
# validated by the the nameserver before being returned to us.
# If there are keys with the KSK flag set then use them to create
# a new trusted-key set otherwise use all keys.
#
# Report when the trusted-key set has changed.
#
# Note: this code assumes that there is a proper key rollover
# where multiple keys are active for a significant amount of time
#
for i in $@
do
f=`echo "${i}" | tr '[A-Z/ ]' '[a-z__]'`
n=".new-${f}"
i=`echo "${i}" | tr '[A-Z]' '[a-z]'`
case $i in
.) f="ROOT"; n=".new-ROOT";;
*.) ;;
*) i=${i}.;;
esac
case ${i} in
.) DS=0;;
*) DS=`/usr/local/bin/dig +noall +answer DS "${i}" @127.0.0.1 |
grep -v '^;;' | wc -l | sed 's/ *//g'`;;
esac
REM=""
if test ${DS} -gt 0
then
if test `expr "${i}" : '^[a-z0-9-][a-z0-9-]*\.$'` != 0
then
REM="// "
fi
fi
/usr/local/bin/dig +noall +answer dnskey "${i}" @127.0.0.1 |
sort |
awk -v DS=${DS} -v REM="${REM}" '
BEGIN {
ksks = "";
zsks = "";
}
$4 == "DNSKEY" && $5 == "257" {
key = "";
for (i = 8; i <= NF; i++) key = key $i;
if (key ~ /INVALID/) REM="// ";
ksks = ksks "\t" REM $1 " " $5 " " $6 " " $7 " \"" key
"\";\n";
next;
}
$4 == "DNSKEY" && $5 == "256" {
key = "";
for (i = 8; i <= NF; i++) key = key $i;
if (key ~ /INVALID/) REM="// ";
zsks = zsks "\t" REM $1 " " $5 " " $6 " " $7 " \"" key
"\";\n";
}
END {
if ( ksks != "" ) {
print "trusted-keys {"
if (DS != 0)
print "\n\t/* " DS " DS records found.
*/\n";
print ksks "};";
} else if (zsks != "") {
print "trusted-keys {"
if (DS != 0)
print "\n\t/* " DS " DS records found.
*/\n";
print zsks "};";
}
}
' > "${d}/${n}"
#
# Test to see if we actually wrote anything.
#
if test -s "${d}/${n}"
then
if ! test -f "${d}/${f}"
then
touch "${d}/${f}"
fi
diff -u "${d}/${f}" "${d}/${n}"
elif test -s "${d}/${f}"
then
diff -u "${d}/${f}" "${d}/${n}"
fi
done
cd /etc
fetch -qm
https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt
diff -u ripe-ncc-dnssec-keys.conf ripe-ncc-dnssec-keys-new.txt
/etc/commit-trusted-keys:
#!/bin/sh
reload=no
for i in /etc/trusted-keys/.new-*
do
b=`echo "${i}" | sed s/.new-//`
if test ! -s "${b}" -a ! -s "${i}"
then
continue;
fi
if ! diff -u "$b" "$i"
then
echo -n "update $b: "
read ans
ans=`echo "$ans" |tr '[A-Z]' '[a-z]'`
case "$ans" in
y|yes)
mv "${i}" "${b}"
reload=yes
;;
esac
fi
done
b=/etc/ripe-ncc-dnssec-keys.conf
i=/etc/ripe-ncc-dnssec-keys-new.txt
if ! diff -u "$b" "$i"
then
echo -n "update $b: "
read ans
ans=`echo "$ans" |tr '[A-Z]' '[a-z]'`
case "$ans" in
y|yes)
mv $i $b
reload=yes
;;
esac
fi
case $reload in
yes)
rndc reload
;;
esac
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list