DNSSEC: maintain mode with KSK offline?
Evan Hunt
each at isc.org
Fri Sep 13 16:03:49 UTC 2013
On Fri, Sep 13, 2013 at 12:38:07PM -0300, Diego Mart??nez wrote:
> if I use bind with zone options:
> auto-dnssec: maintain
> inline-signing: yes
>
> the KSK (public and private parts) must be on-line, right?
> Even if not required to sign the DNSKEY records?
The short answer is yes.
When you're doing inline signing, the server maintains two
copies of the zone internally: the original zone as you configured
it (we call it the "raw" zone), and then a second copy that it
builds which actually answers queries.
When named first loads the raw zone, it's copied over into the signed
zone *with any existing DNSSEC records stripped out*. DNSKEYs get
brought in from the key directory, the whole thing is signed, NSEC
records generated, and finally we're ready to answer queries.
Signing the raw zone with an offline KSK before you loaded it would
just cause the signed DNSKEY rrset to be stripped before the inline-
signing zone got to work. I can think of some ways to kluge around this,
but they'd be cumbersome and prone to error. My real recommendation is, if
you need an offline KSK, don't use inline signing. (You can still use
auto-dnssec.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list