dnssec config sanity check

Paul B. Henson henson at acm.org
Tue Oct 4 22:49:25 UTC 2011 

On 10/3/2011 11:45 PM, Stephane Bortzmeyer wrote:

> Experience of DNSSEC deployment (see my paper at SATIN
> <http://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>)
> shows that custom programs have many timing bugs. Many things can go
> wrong Why not using an existing program such as OpenDNSSEC ?

 From a quick read of your paper, I see you discovered many rollover 
timing issues in the wild, but it doesn't look like those are correlated 
with any particular tool. Other than knowing a given domain had an 
issue, you have no idea what caused it, or what tool they may have been 
using, and it is only an assumption that the issue arose from a custom 
program... They could well have been using some existing programs such 
as OpenDNSsec which presumably aren't guaranteed bug free :).

We initially implemented this over a year ago, but were delayed in 
deployment when it turned out our ISP (who provides secondary services) 
was running an ancient version of bind that didn't do dnssec 8-/. I 
didn't find any good solutions available at the time.

Taking a look at OpenDNSsec, I don't think I'd use it even if we were 
starting today; it is way over engineered for our requirements. I'm not 
a big fan of XML configuration files, and I don't particularly want a 
signing daemon running 24x7. The current capability of bind to 
automatically select which keys to use based on their timing data, with 
a minimal wrapper around it, provides more than enough functionality to 
manage our relatively simple zones.

dnssec is fairly complicated, and the issue of timing can be complex, 
but once the variables are determined than the actual procedures of 
implementation are pretty simple. Generate keys with appropriate 
publication, activation, inactivation, and deletion timings, and then 
use them ;). My hope from my initial posting was to get a little peer 
review of the appropriateness of the timings I've selected...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the bind-users mailing list