From owner-freebsd-isp@FreeBSD.ORG  Wed Jun  9 17:22:03 2010
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DA97E106566B
	for <freebsd-isp@freebsd.org>; Wed,  9 Jun 2010 17:22:03 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 6014F8FC18
	for <freebsd-isp@freebsd.org>; Wed,  9 Jun 2010 17:22:03 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id
	o59HLwg7035393
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Wed, 9 Jun 2010 18:21:58 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Message-ID: <4C0FCDB6.6060706@infracaninophile.co.uk>
Date: Wed, 09 Jun 2010 18:21:58 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
	rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: "Marc G. Fournier" <scrappy@hub.org>
References: <alpine.BSF.2.00.1006091335410.45189@hub.org>
In-Reply-To: <alpine.BSF.2.00.1006091335410.45189@hub.org>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL,
	SPF_FAIL autolearn=no version=3.3.1
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lucid-nonsense.infracaninophile.co.uk
Cc: freebsd-isp@freebsd.org
Subject: Re: DNS Managment Interface that supports DNSSEC ... ?
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2010 17:22:04 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2010 17:39:17, Marc G. Fournier wrote:
> 
> Anyone know of, or is using, such a beast?  Basically, right now I'm
> doing it all manually for my clients, would like to provicde them with a
> self-service portal for doing it instead ...
> 
> Would like to find something that I could 'assign n domains' to a client
> that they could manage, that sort of thing ...
> 
> Preferably something iwth an RDBMS backend (PostgreSQL if possible) ...
> 
> Am comfortable / familiar with BIND, so would prefer to stick with it,
> but if a great tool requires switching to something else, so be it ...
> but DNSSEC support is a requirement ...

Managing zone-signing is an interesting problem.  The only bit the
customer really needs any input on is to check a box saying "sign my
zone".  All the rest is actually best managed automatically.

There are two basic approaches:

   i) Create the zone data using whatever means you prefer.  Then sign
the plaintext zones whenever there is an update to the zone data,
whenever you need to roll the ZSK (which is typically monthly if you
follow the usual RFC4641 guidelines), plus anually or biannually when
you roll the KSK (which is a much more involved operation, since it
involves cooperation with your registrar etc. etc.)

This is the approach used by open-dnssec (http://www.opendnssec.org/) or
DNSSEC Zone Key Tool (http://www.hznet.de/dns/zkt/)

open-dnssec is being developed by a consortium including Nominet, NLnet
LAbs and others: it's an industrial scale solution for people that serve
large numbers of secure zones.  They prefer a Hardware Security Module
as a means to hold the private keys securely, although they do provide a
confusingly named SoftHSM application.

ZKT is a much smaller scale solution, using the Unix filesystem as the
keystore.

  ii) Use the new built-in logic in BIND 9.7 which will maintain a
signed, dynamic zone pretty much automatically.  ie. convert all your
zones to dynamic zones, and use dnsupdate exclusively to populate zones.
 See:

http://www.isc.org/software/bind/new-features/9.7
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwPzbYACgkQ8Mjk52CukIzptQCggQQVirFhHPbYJQrL8XOLiAT8
xagAnjEEcTMDQ/hxqb/Vh/O0JmrBmUSL
=Qypx
-----END PGP SIGNATURE-----