Re: Piggybacking on a zone’s dnssec-policy using auto-dnssec: How can one do this after Bind 9.19?
Matthijs Mekking
matthijs at isc.org
Mon Apr 17 13:12:26 UTC 2023
Hi Andrej,
While I am not 100% sure on your use case, let me at least respond to this:
> But I’m starting to realize that I had misunderstood and
> overcomplicated things; simply referencing the "standard" policy again
> from equivalent zones in different views should (?) magically work (as
> Nick Tait pointed out in another message). If that’s the case, then my
> concerns around forcing exactly one instance of a zone to maintain the
> keys and forcing all other instances to passively consume keys are
> null and void.
...
> So eventually it may be as simple as replacing “auto-dnssec maintain;”
> with “dnssec-policy "standard";” and *not* worrying about having
> exactly one “key producing” instance of each zone, because Bind can
> handle this automatically. (?) I’ll give that a try.
That is correct: When you have the same zone (identical name) in
multiple different views that refer to the same dnssec-policy, there
will be only one set of keys maintained that is shared for that zone in
all views.
Best regards,
Matthijs
On 4/17/23 13:03, Andrej Podzimek wrote:
> Hi Matthijs,
>
> Thanks for your response.
>
>>> dnssec-policy "ReuseKeysFromTheMainView" {
>>> keys {
>>> ksk key-directory lifetime unlimited algorithm
>>> ecdsap384sha384;
>>> zsk key-directory lifetime unlimited algorithm ;
>>> };
>>> nsec3param salt-length 16;
>>> publish-safety P1D;
>>> retire-safety P1D;
>>> };
>>
>> When looking for the dnssec-policy equivalent of auto-dnssec, you will
>> need to look at your current zone signing settings to determine the
>> policy.
>>
>> Look at your current keys and check their algorithm and key length.
>> From your policy excerpt from above it looks like you are using a
>> KSK/ZSK strategy with algorithm ECDSAP384SHA384 (14).
>>
>> Key rollovers were done outside of BIND9, either manually or scripted.
>> So "lifetime unlimited" makes sense here.
>
> The dnssec-policy example above was meant to serve as an auto-dnssec
> equivalent that passively consumes keys, not “the real thing”. That’s
> why it’s called “ReuseKeysFromTheMainView”. The policy that actually
> generates the key files looks like this (and has a finite lifetime):
>
> dnssec-policy "standard" {
> keys {
> ksk key-directory lifetime 361d algorithm ecdsap384sha384;
> zsk key-directory lifetime 61d algorithm ecdsap384sha384;
> };
> nsec3param salt-length 16;
> publish-safety P1D;
> retire-safety P1D;
> };
>
>>> There are at least two concerns:
>>>
>>> (1) Will the dependent “unlimited lifetime” views automatically pick
>>> up the key updates made by the main “limited lifetime” view (instead
>>> of blindly expecting the key files to never change)?
>>
>> Sorry, I fail to understand what dependent "unlimited lifetime" views
>> are, and what the main "limited lifetime" view is.
>>
>> Are you perhaps asking how to initiate a key rollover with dnssec-policy?
>
> The “limited lifetime” view’s zones reference the "standard" policy
> directly.
> An “unlimited lifetime” view’s zones reference keys generated by the
> "standard" policy. This is currently achieved using “auto-dnssec
> maintain”. Later, once auto-dnssec is gone, I thought that referencing
> the fake "ReuseKeysFromTheMainView" policy would yield a similar behavior.
>
>>> (2) Which of the additional parameters have to be repeated in
>>> dependent “auto-dnssec-like” zones that don’t generate their own keys?
>>> * The salt-length seems irrelevant (set and fixed at key
>>> generation time).
>>> * But how (if at all) will publish-safety and retire-safety work
>>> int his strange setup?
>>
>> What are "auto-dnssec-like" zones? Zones that don't use
>> "dnssec-policy"? In that case, for such zones "publish-safety" and
>> "retire-safety" have no effect.
>
> IIUC, all my zones in all views will have to switch to dnssec-policy,
> eventually, once auto-dnssec ceases to exist.
>
> But I’m starting to realize that I had misunderstood and overcomplicated
> things; simply referencing the "standard" policy again from equivalent
> zones in different views should (?) magically work (as Nick Tait pointed
> out in another message). If that’s the case, then my concerns around
> forcing exactly one instance of a zone to maintain the keys and forcing
> all other instances to passively consume keys are null and void.
>
> (As a side note, the best zone sharing option (which already works for
> me in some cases) is the “in-view” pointer, which automatically copies
> all zone settings, including the "standard" DNSSEC policy. The reason
> why certain zones are (re)defined in other views rather than linked
> using “in-view” is a need for different zone data, different
> “allow-query” settings etc.)
>
> So eventually it may be as simple as replacing “auto-dnssec maintain;”
> with “dnssec-policy "standard";” and *not* worrying about having exactly
> one “key producing” instance of each zone, because Bind can handle this
> automatically. (?) I’ll give that a try.
>
> Cheers!
> Andrej
More information about the bind-users
mailing list