private trust anchor
Mark Andrews
marka at isc.org
Sun Feb 10 23:40:06 UTC 2013
In message <20130210225742.GA9786 at bewilderbeast.blackhelicopters.org>, "Michael
W. Lucas" writes:
> Hi,
>
> Is there a way to set up a private trust anchor for internal-only
> zones with BIND 9.9?
>
> I have some local and RFC1918 zones that I'd like to secure. It seems
> I should be able to configure a private trust anchor and use that key
> to sign these zones.
>
> I've found, related docs, like draft-jabley-dnssec-trust-anchor-06,
> which has great gobs of theory, but nothing on how to actually do this
> with BIND.
>
> Has anyone done this? Or is this just daft?
>
> Thanks,
> ==ml
This is no different than creating any other island of trust.
You generate the keys for the zone. For IN-ADDR.ARPA zones there
is no point in using NSEC3.
dnssec-keygen -K /var/named/keys 10.in-addr.arpa
dnssec-keygen -K /var/named/keys -f KSK 10.in-addr.arpa
You add the keys to the zone.
You sign the zone and arrange for named to re-sign the zone
automatically for you. You can use "inline-signing yes;" or configure
the zone to accept dynamic updates.
options {
key-directory "/var/named/keys";
};
zone 10.in-addr.arpa {
type master;
file "master/10.in-addr.arpa";
auto-dnssec maintain;
update-policy local;
};
rndc signzone 10.in-addr.arpa
You add trusted keys clauses to your recursive servers.
trusted-keys {
10.in-addr.arpa <KSK info>;
};
> --
> Michael W. Lucas
> http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
> Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
> mwlucas at michaelwlucas.com, Twitter @mwlauthor
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list