trying DNSSEC with 9.9-rc1

Mark Elkins mje at posix.co.za
Thu Feb 2 16:14:50 UTC 2012 

On Wed, 2012-02-01 at 17:18 -0500, Michael W. Lucas wrote:
> Hi,
> 
> I'd put off DNSSEC because of the high maintenance requirement. But
> with 9.9 and inline signing, it looks like I can now do DNSSEC the way
> I need (static zone files that work with legacy tools, automatic key
> rotation, etc.)
> 
> I see that 9.9-rc2 came out yesterday; I'm building it now, but I
> don't see anything in the relnotes that tells me this has
> changed. Unfortunately, I'm trying to figure out how to use DNSSEC
> inline signing from the Internet's ten years of DNSSEC tutorials, none
> of which exactly cover this setup. And the ARM isn't quite updated for
> this yet.
> 
> If someone is kind enough to help me figure out DNSSEC, I'll happily
> blog it for the next guy who comes along. I'm sure I won't be the
> last...
> 
> My understanding of the process is:
> 
> 1) create KSK and ZSK
> 
> nstest/etc/namedb/keys;dnssec-keygen -f KSK -a RSASHA1 -b 768 -n ZONE transnetworks.net
> Generating key pair.........................................................++++++++ .++++++++
> Ktransnetworks.net.+005+54607
> nstest/etc/namedb/keys;dnssec-keygen -a RSASHA1 -b 768 -n ZONE transnetworks.net
> Generating key pair......................................++++++++ ..................++++++++
> Ktransnetworks.net.+005+51087
> 


As others have said....


When I create a Zone-Signing-Key (ZSK) - I use...
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE posix.co.za

When I create a Key-Signing-key (KSK) - I use...
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK posix.co.za


Use the "RSASHA256" algorithm. You are probably going to otherwise have
to switch to using it one day anyway - and "algorithm" rollovers are
more complicated than key rollovers. Also doesn't matter if you use NSEC
or NSEC3

I have a 2048 byte Key Signing key - I expect to use the same key for a
year (and not so easy to roll-over - depending on parents). I have a
1024 byte Zone Signing key - I only expect to have it for about one
month (and its easy to roll-over locally).

The default random device is /dev/random. This device will hang the
signing program if there is not enough random data to be fed from - so
you might want to add "-r /dev/urandom" to rather use the Pseudo Random
device -or- install "haveged" which is a random generator daemon which
feeds random into /dev/ramdom (at least on my gentoo linux box!)
(or get a true random number generator USB dongle!)

Oh - and Bind needs to be able to find the keys, why not create them in
the same directory as the zone file...

I now have a separate directory for each zone file, where the
appropriate keys can also be found as in....

zone "posix.co.za" {
        type master;
        file "pri/posix.co.za/db.posix.co.za";
        key-directory "pri/posix.co.za";
        auto-dnssec maintain;
        inline-signing yes;
}

Hope these suggestions help.

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6161 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120202/86eedd29/attachment.bin>

More information about the bind-users mailing list