Bind and ZSK-Rollovers: Changing salt automatically?

[Johannes Kastl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Carsten and all,

sorry for the late reply.

On 24.07.14 19:53 Carsten Strotmann wrote:

> I'm not aware that BIND 9 can do a ZSK rollover all on its own, it
> is however possible to set the timing values on the ZSK key files
> in a away that BIND 9 will execute the rollover at the set times.
> It is also possible to create a direct successor ZSK from an
> existing ZSK.

That is exactly what I meant. I prepare the keys and bind does the
rollover automatically.

> But the creation of the new ZSK, as well as setting the timing
> values, need to be done outside BIND 9. It is relaive
> strightforward to script this in a cron job, and there are
> ready-made tools that can help.

I'll dig into scripting that. But I found Michael W Lucas' DNSSEC
Mastery pretty good read on the process..

> In the same cron job, it is then possible to create a new NSEC3
> salt and inject that into the zone.

So basically BIND cannot do that for me, each time it does a key
rollover. That's what I wanted to know.

> Doing so at the exact moment of the ZSK key rollover (to prevent
> unecessary re-generation of all RRSIGs) is tricky.
> 
> If the zone is no too big (e.g. re-generating all RRSIGs is not a 
> problem), I would recommend to roll the salt in the same intervals,
> but independent from the ZSK rollover.

I'll stick with this, then.


Regards,
Johannes
- -- 
Debian est omnis divisa in partes tres, quarum unam nominari Stable,
aliam Testing, tertiam qui ipsorum lingua Sid, nostra Unstable
appellantur.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/

iEYEARECAAYFAlPWd00ACgkQzi3gQ/xETbJYRwCaAp4UiwsIlIp2zjq/w0ImOJjC
YoUAnjTMjMJ/wbkhKR1oj7iJS1p1H6G7
=qHrR
-----END PGP SIGNATURE-----