15 Úno
2015
15 Úno
'15
17:20
ons 2015-02-11 klockan 20:03 +0100 skrev Jan Včelák:
Today, CZ.NIC Labs releases Knot DNS 1.99.1. The next
step towards the 2.0.
...
...
We are looking forward to hear some feedback from you. And we are happy to
answer all your questions and concerns.
So, spent some day today setting up knot 1.99.1, having it act as master
for the (test) domain f13g.se.
First of all, let me say that I really the koncept of the KASP. It's
definitely the way I want my DNS Master to handle DNSSEC.
While the signing appear to work, there appear to be something odd with
the policy handing. The default policy I have was created by running:
keymgr policy add default
Note the difference between the json file and the parsed output.
root@sandbox:/usr/local/var/kasp# cat policy_default.json
{
"algorithm": 10,
"dnskey_ttl": 1200,
"ksk_size": 2048,
"zsk_size": 1024,
"zsk_lifetime": 2592000,
"rrsig_lifetime": 1209600,
"rrsig_refresh_before": 604800,
"nsec3_enabled": false,
"soa_minimal_ttl": 0,
"zone_maximal_ttl": 0,
"propagation_delay": 3600
}
root@sandbox:/usr/local/var/kasp#
vs.
root@sandbox:/usr/local/var/kasp# keymgr policy show default
algorithm: 10
DNSKEY TTL: 1200
KSK key size: 2048
ZSK key size: 1024
ZSK lifetime: 36096
RRSIG lifetime: 29952
RRSIG refresh: 14976
NSEC3 enabled: false
SOA min TTL: 0
zone max TTL: 0
data propagation: 3600
root@sandbox:/usr/local/var/kasp#
At least based on the created RRSIGs it appear to be the values returned
by "keymgr policy show default" which are the ones actually used by
knotd.
On the topic of policy, what is the reason for going with algoritm 10 by
default? I have really no opinion whatever it's right or wrong, just
curious, since most of the world appear to be using algoritm 8 today?
I'm also wondering if I'm really doing things right in regards to the
zone file. Based on the following part of knot.conf
zones {
dnssec-keydir "/usr/local/var/kasp";
f13g.se {
file "/usr/local/etc/knot/master/f13g.se.zone";
xfr-out halleck, mohiam;
notify-out halleck, mohiam;
dnssec-enable on;
}
}
I have ended up in a situation where both me and knot edits the same
file /usr/local/etc/knot/master/f13g.se.zone. First I edit a regular
None-DNSSEC record, and upon reload knot updates RRSIGS, etc. While it
kind of works, it feels a bit messy/unstable.
As a comparison I'm used to BIND's Inline Signing[1] where one edits a
regular plain zone file, and BIND keeps all the DNSSECy regards in its
journal files.
I'm running knot 1.99.1 on Debian Jessie.
// Andreas
[1]: https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Exam…