Bind and ZSK-Rollovers: Changing salt automatically?
Johannes Kastl
mail at ojkastl.de
Mon Jul 28 16:16:13 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Carsten and all,
sorry for the late reply.
On 24.07.14 19:53 Carsten Strotmann wrote:
> I'm not aware that BIND 9 can do a ZSK rollover all on its own, it
> is however possible to set the timing values on the ZSK key files
> in a away that BIND 9 will execute the rollover at the set times.
> It is also possible to create a direct successor ZSK from an
> existing ZSK.
That is exactly what I meant. I prepare the keys and bind does the
rollover automatically.
> But the creation of the new ZSK, as well as setting the timing
> values, need to be done outside BIND 9. It is relaive
> strightforward to script this in a cron job, and there are
> ready-made tools that can help.
I'll dig into scripting that. But I found Michael W Lucas' DNSSEC
Mastery pretty good read on the process..
> In the same cron job, it is then possible to create a new NSEC3
> salt and inject that into the zone.
So basically BIND cannot do that for me, each time it does a key
rollover. That's what I wanted to know.
> Doing so at the exact moment of the ZSK key rollover (to prevent
> unecessary re-generation of all RRSIGs) is tricky.
>
> If the zone is no too big (e.g. re-generating all RRSIGs is not a
> problem), I would recommend to roll the salt in the same intervals,
> but independent from the ZSK rollover.
I'll stick with this, then.
Regards,
Johannes
- --
Debian est omnis divisa in partes tres, quarum unam nominari Stable,
aliam Testing, tertiam qui ipsorum lingua Sid, nostra Unstable
appellantur.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
iEYEARECAAYFAlPWd00ACgkQzi3gQ/xETbJYRwCaAp4UiwsIlIp2zjq/w0ImOJjC
YoUAnjTMjMJ/wbkhKR1oj7iJS1p1H6G7
=qHrR
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list