From owner-freebsd-isp@FreeBSD.ORG Wed Jun 9 16:39:18 2010 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD4DF106567D for ; Wed, 9 Jun 2010 16:39:18 +0000 (UTC) (envelope-from scrappy@hub.org) Received: from hub.org (hub.org [200.46.204.220]) by mx1.freebsd.org (Postfix) with ESMTP id AA6E48FC24 for ; Wed, 9 Jun 2010 16:39:18 +0000 (UTC) Received: from maia.hub.org (maia-2.hub.org [200.46.204.251]) by hub.org (Postfix) with ESMTP id A6E9B3455941 for ; Wed, 9 Jun 2010 13:39:17 -0300 (ADT) Received: from hub.org ([200.46.204.220]) by maia.hub.org (mx1.hub.org [200.46.204.251]) (amavisd-maia, port 10024) with ESMTP id 41983-03 for ; Wed, 9 Jun 2010 16:39:17 +0000 (UTC) Received: by hub.org (Postfix, from userid 1002) id 82494345593F; Wed, 9 Jun 2010 13:39:17 -0300 (ADT) Received: from localhost (localhost [127.0.0.1]) by hub.org (Postfix) with ESMTP id 81F663455915 for ; Wed, 9 Jun 2010 13:39:17 -0300 (ADT) Date: Wed, 9 Jun 2010 13:39:17 -0300 (ADT) From: "Marc G. Fournier" To: freebsd-isp@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: DNS Managment Interface that supports DNSSEC ... ? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2010 16:39:19 -0000 Anyone know of, or is using, such a beast? Basically, right now I'm doing it all manually for my clients, would like to provicde them with a self-service portal for doing it instead ... Would like to find something that I could 'assign n domains' to a client that they could manage, that sort of thing ... Preferably something iwth an RDBMS backend (PostgreSQL if possible) ... Am comfortable / familiar with BIND, so would prefer to stick with it, but if a great tool requires switching to something else, so be it ... but DNSSEC support is a requirement ... Thanks ... ---- Marc G. Fournier Hub.Org Hosting Solutions S.A. scrappy@hub.org http://www.hub.org Yahoo:yscrappy Skype: hub.org ICQ:7615664 MSN:scrappy@hub.org From owner-freebsd-isp@FreeBSD.ORG Wed Jun 9 17:22:03 2010 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA97E106566B for ; Wed, 9 Jun 2010 17:22:03 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 6014F8FC18 for ; Wed, 9 Jun 2010 17:22:03 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o59HLwg7035393 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 9 Jun 2010 18:21:58 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C0FCDB6.6060706@infracaninophile.co.uk> Date: Wed, 09 Jun 2010 18:21:58 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Marc G. Fournier" References: In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-isp@freebsd.org Subject: Re: DNS Managment Interface that supports DNSSEC ... ? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2010 17:22:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2010 17:39:17, Marc G. Fournier wrote: > > Anyone know of, or is using, such a beast? Basically, right now I'm > doing it all manually for my clients, would like to provicde them with a > self-service portal for doing it instead ... > > Would like to find something that I could 'assign n domains' to a client > that they could manage, that sort of thing ... > > Preferably something iwth an RDBMS backend (PostgreSQL if possible) ... > > Am comfortable / familiar with BIND, so would prefer to stick with it, > but if a great tool requires switching to something else, so be it ... > but DNSSEC support is a requirement ... Managing zone-signing is an interesting problem. The only bit the customer really needs any input on is to check a box saying "sign my zone". All the rest is actually best managed automatically. There are two basic approaches: i) Create the zone data using whatever means you prefer. Then sign the plaintext zones whenever there is an update to the zone data, whenever you need to roll the ZSK (which is typically monthly if you follow the usual RFC4641 guidelines), plus anually or biannually when you roll the KSK (which is a much more involved operation, since it involves cooperation with your registrar etc. etc.) This is the approach used by open-dnssec (http://www.opendnssec.org/) or DNSSEC Zone Key Tool (http://www.hznet.de/dns/zkt/) open-dnssec is being developed by a consortium including Nominet, NLnet LAbs and others: it's an industrial scale solution for people that serve large numbers of secure zones. They prefer a Hardware Security Module as a means to hold the private keys securely, although they do provide a confusingly named SoftHSM application. ZKT is a much smaller scale solution, using the Unix filesystem as the keystore. ii) Use the new built-in logic in BIND 9.7 which will maintain a signed, dynamic zone pretty much automatically. ie. convert all your zones to dynamic zones, and use dnsupdate exclusively to populate zones. See: http://www.isc.org/software/bind/new-features/9.7 http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwPzbYACgkQ8Mjk52CukIzptQCggQQVirFhHPbYJQrL8XOLiAT8 xagAnjEEcTMDQ/hxqb/Vh/O0JmrBmUSL =Qypx -----END PGP SIGNATURE-----