21 Říj
2013
21 Říj
'13
22:39
On 2013-10-21 10:05, Ondřej Surý wrote:
Hi Matthias-Christian,
Hi Ondřej,
we would be happy to help you, but you didn't
state your problem.
Could you please describe what are you trying to achieve (without going into
implementation details)?
I have a handful of zones, I want to use dynamic updates while the zones
are DNSSEC signed. DNSSEC is complicated enough so I want to eliminate
any manual work (key rollover, resigning etc.) — humans make mistakes
and I don't need this for DNS :). Knot DNS can't execute custom binaries
(XML-RPC call against the API of the registrar to replace keys on KSK
rollover) and (as far as I understand from the documentation) doesn't
perform any automatic KSK rollover. It seems OpenDNSSEC can do what I
want. However, it requires a hidden primary which accepts the updates,
transfers the zones to OpenDNSSEC which in turn transfers the zones to a
slave that finally serves the zones. This is a quite complex setup
(especially because most init scripts only support one instance of a
daemon and two DNS servers are required on the same machine).
Is there a simpler solution? Is a hidden primary really the only
possible architecture? Do you think Knot DNS or any DNS server that
accepts dynamic updates can sign zones via OpenDNSSEC differently (e.g.
removing all signatures before it transfers the zones to OpenDNSSEC)?
Are there perhaps alternatives to OpenDNSSEC that can do what I want (I
guess not, except extending Knot DNS to support automatic KSK rollovers,
executing custom scripts and binaries and possibly PKCS#11)?
Regards,
Matthias-Christian
On 20. 10. 2013, at 15:55, Matthias-Christian Ott
<ott(a)mirix.org> wrote:
> Hi,
>
> without DNS UPDATE OpenDNSSEC can be configured to read an unsigned zone
> file, sign it and reload the zone [1]. With DNS UPDATE it gets more
> complicated. It seems that you have to run a hidden primary that
> receives that updates and transfers the unsigned zones to OpenDNSSEC
> which in turn transfers the zones to a slave server. There are some
> alternatives if you manipulate zone files with custom scripts.
>
> While a hidden primary may be acceptable and zone transfers are probably
> the most reliable solution, it is an overkill for my use case and adds
> to much complexity. I could use Knot DNS to sign the zones, but it
> doesn't automate KSK rollovers and I need to execute a custom binary to
> update the keys at the registrar which is also not supported. Perhaps
> Knot DNS could remove all DNSSEC RRs before it transfers the zone to
> OpenDNSSEC, but it's kind of a hack and I'm not sure if this a good idea.
>
> OpenDNSSEC also delayed support for dynamic updates to 2.x, which means
> 2014 and or later. So this is not an option.
>
> Does anyone have suggestions to solve this problem?
>
> Regards,
> Matthias-Christian
>
> [1] http://www.bortzmeyer.org/opendnssec-nsd.html