discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: discuss AT lists.opennicproject.org
- Subject: [opennic-discuss] Some notes about DNSSEC
- Date: Mon, 09 Jun 2014 15:15:45 -0600
I wanted to let everyone know that because of the continued questions about dnssec availability on opennic, I have been doing some research and testing. It looks like there are some excellent tools built into bind9 now which support the creation of signed zones, and I have found some articles online discussing how to sign a custom root zone.
First I needed to generate public/private key pairs to sign the zones with. I set up a script that accepts a list of TLDs or can be used for an individual domain. The server hosting the TLD or domain also has to keep a list of keys that it trusts, so the script compiled a file for bind that lists all of the trusted keys, so this script also generates that file based on what key files you currently have. I believe keys are supposed to be regenerated every few months (any thoughts on this?) so this should make it simple to automate the updates.
The current script for creating our root zone takes approximately 5 minutes to run. That's quite a bit of effort to generate the root, and it does make an impact on NS0 when it runs. While using the tools to generate a signed root zone, I have written a new script which runs in only 17 seconds... this includes pulling all data for ICANN, OpenNic TLDs and NewNations TLDs, then signing the completed root zone. The only caveat is that I had to install bind 9.9.5 on my test machine (debian stable only has version 9.8.4), however I believe it is worth running a test version of bind in order to get the benefits of a fully signed root...
The next step is at the TLD level. I have notes on how to sign a generated TLD file, and this procedure is pretty painless and works with older versions of bind9. It essentially consists of running two commands to prep and sign the zone, and could easily be added to existing scripts that everyone uses to generate their TLD zones.
Finally, there will be signing of the individual domains. Again, this is just two commands, exactly the same as signing a TLD zone.
To work with dnssec, it looks like only three lines need to be added to the options in bind9. Most likely I will try to get bind upgraded on NS0 so I can start generating the signed root zone, then we can move on to getting all of the T1 and T2 servers working with that (and some of these settings may be default anyway). After that, it shouldn't take long to get the TLD zones signed as well.
So I *think* we're well on our way to getting this issue resolved. Now that I have the tools to generate the appropriate data, the rest seems fairly simple.
- [opennic-discuss] Some notes about DNSSEC, Jeff Taylor, 06/09/2014
- Re: [opennic-discuss] Some notes about DNSSEC, Jeff Taylor, 06/10/2014
- Re: [opennic-discuss] Some notes about DNSSEC, Amunak, 06/10/2014
- Re: [opennic-discuss] Some notes about DNSSEC, Jeff Taylor, 06/17/2014
- Re: [opennic-discuss] Some notes about DNSSEC, Jeff Taylor, 06/10/2014
Archive powered by MHonArc 2.6.19.