Setup a DNSSEC with my own public and private key

[Manuel Gil Perez]

Hi and thanks both Jim and Edward.

Currently, the dnssec-* tools permit to sign the zones and authenticate the
source of a dynamic update. The user can check this signature for testing
out the integrity/authenticity of the responses but, how the user can be
sure that this signature is of trust??

For this, I'd like to establish my keys where the PKI provides this trust.

Thanks.


----- Original Message ----- 
Sent: Friday, June 25, 2004 8:26 PM
Subject: Re: Setup a DNSSEC with my own public and private key


> >>>>> "Manuel" == Manuel Gil Perez <manuel at dif.um.es> writes:
>
>     Manuel> I am the UMU-PKIv6 administrator
>     Manuel> (http://pki.umu.euro6ix.org) and I would like use it to
>     Manuel> enroll my DNS server. Currently, the PKI publish
>     Manuel> certificates and CRLs in a DNS (BIND 9.2.1) through the
>     Manuel> TSIG mechanism but I would like to update to BIND 9.3.0
>     Manuel> for using SIG(0), it is most sure. For this, I would like
>     Manuel> to setup the DNS with my own keys.
>
> I don't understand. Why should it matter what the value of the key is
> for some SIG(0) signed transaction? All you seem to be doing here is
> authenticating the source of a dynamic update. I can't see why
> anything should need to know or even care about the actual value of
> the SIG(0) key that was used or how that could make a difference.
> Presumably you'll be doing "nsupdate -k ...." to generate the SIG(0)
> signed dynamic updates, so the only things that would need to know
> about the actual keys are the things which generate and validate those
> "signatures", ie the nsupdate client and the name server.
>
> BTW you might also want to check out the CERT record and publish your
> certificates in the DNS. Though this might not be sensible unless they
> were stored in a DNSSEC-signed zone.