Date: Wed, 09 Jun 2010 18:21:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-isp@freebsd.org Subject: Re: DNS Managment Interface that supports DNSSEC ... ? Message-ID: <4C0FCDB6.6060706@infracaninophile.co.uk> In-Reply-To: <alpine.BSF.2.00.1006091335410.45189@hub.org> References: <alpine.BSF.2.00.1006091335410.45189@hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2010 17:39:17, Marc G. Fournier wrote: > > Anyone know of, or is using, such a beast? Basically, right now I'm > doing it all manually for my clients, would like to provicde them with a > self-service portal for doing it instead ... > > Would like to find something that I could 'assign n domains' to a client > that they could manage, that sort of thing ... > > Preferably something iwth an RDBMS backend (PostgreSQL if possible) ... > > Am comfortable / familiar with BIND, so would prefer to stick with it, > but if a great tool requires switching to something else, so be it ... > but DNSSEC support is a requirement ... Managing zone-signing is an interesting problem. The only bit the customer really needs any input on is to check a box saying "sign my zone". All the rest is actually best managed automatically. There are two basic approaches: i) Create the zone data using whatever means you prefer. Then sign the plaintext zones whenever there is an update to the zone data, whenever you need to roll the ZSK (which is typically monthly if you follow the usual RFC4641 guidelines), plus anually or biannually when you roll the KSK (which is a much more involved operation, since it involves cooperation with your registrar etc. etc.) This is the approach used by open-dnssec (http://www.opendnssec.org/) or DNSSEC Zone Key Tool (http://www.hznet.de/dns/zkt/) open-dnssec is being developed by a consortium including Nominet, NLnet LAbs and others: it's an industrial scale solution for people that serve large numbers of secure zones. They prefer a Hardware Security Module as a means to hold the private keys securely, although they do provide a confusingly named SoftHSM application. ZKT is a much smaller scale solution, using the Unix filesystem as the keystore. ii) Use the new built-in logic in BIND 9.7 which will maintain a signed, dynamic zone pretty much automatically. ie. convert all your zones to dynamic zones, and use dnsupdate exclusively to populate zones. See: http://www.isc.org/software/bind/new-features/9.7 http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwPzbYACgkQ8Mjk52CukIzptQCggQQVirFhHPbYJQrL8XOLiAT8 xagAnjEEcTMDQ/hxqb/Vh/O0JmrBmUSL =Qypx -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C0FCDB6.6060706>