dnssec signing tools
Kevin Oberman
oberman at es.net
Sat Mar 20 22:48:52 UTC 2010
> Date: Sat, 20 Mar 2010 16:28:59 -0500
> From: groups <groups at obsd.us>
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
>
> I should have been more specific.. What dnssec tools do the folks at ISC
> recommend.. I am scheduled for a 5 day class in Arlington, VA in May 2010
>
> Thx
> Charles
> > Greetings list..
> > I have recently assumed responsibility and did a
> > complete rebuild of a Master DNS server running 9.6.1.P3. (will
> > upgrade to 9.6.2 when SRPM is available)
> > OS: CentOS 5.4
> >
> > New to DNS administration but not new to Linux / UNIX..
> >
> > I am looking at dnssec-tools for signing my 2 zones.
> > Am curious if anyone on the list has used / is using
> > this tool..
Signing is probably best handled by BIND 9.7 (DNSSEC for Humans). It
handles re-signing and keyrolls in a manner that looks fairly
manageable. (I'm not using BIND for signing, so this is based on the
documentation.)
For testing and management, I use dig, part of the BIND distribution,
drill from nllabs.nl, a source of lots of fine DNS related stuff, and
http://dnscheck.se. The latter is a test suite that includes tests of
DNSSEC. Yo can install the tests on a local system or run them on the
web site.
I also urge you to get copy of NIST SP800-81r1, an excellent overview
and how-to on DNS security that goes well beyond DNSSEC. It is at:
http://csrc.nist.gov/publications/drafts/800-81-rev1/nist_draft_sp800-81r1-round2.pdf.
It is still in draft, but is close to being finalized.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the bind-users
mailing list