Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

I wanted to let everyone know that because of the continued questions 
about dnssec availability on opennic, I have been doing some research 
and testing.  It looks like there are some excellent tools built into 
bind9 now which support the creation of signed zones, and I have found 
some articles online discussing how to sign a custom root zone.

First I needed to generate public/private key pairs to sign the zones 
with.  I set up a script that accepts a list of TLDs or can be used for 
an individual domain.  The server hosting the TLD or domain also has to 
keep a list of keys that it trusts, so the script compiled a file for 
bind that lists all of the trusted keys, so this script also generates 
that file based on what key files you currently have.  I believe keys 
are supposed to be regenerated every few months (any thoughts on this?) 
so this should make it simple to automate the updates.

The current script for creating our root zone takes approximately 5 
minutes to run.  That's quite a bit of effort to generate the root, and 
it does make an impact on NS0 when it runs.  While using the tools to 
generate a signed root zone, I have written a new script which runs in 
only 17 seconds... this includes pulling all data for ICANN, OpenNic 
TLDs and NewNations TLDs, then signing the completed root zone.  The 
only caveat is that I had to install bind 9.9.5 on my test machine 
(debian stable only has version 9.8.4), however I believe it is worth 
running a test version of bind in order to get the benefits of a fully 
signed root...

The next step is at the TLD level.  I have notes on how to sign a 
generated TLD file, and this procedure is pretty painless and works with 
older versions of bind9.  It essentially consists of running two 
commands to prep and sign the zone, and could easily be added to 
existing scripts that everyone uses to generate their TLD zones.

Finally, there will be signing of the individual domains.  Again, this 
is just two commands, exactly the same as signing a TLD zone.

To work with dnssec, it looks like only three lines need to be added to 
the options in bind9.  Most likely I will try to get bind upgraded on 
NS0 so I can start generating the signed root zone, then we can move on 
to getting all of the T1 and T2 servers working with that (and some of 
these settings may be default anyway).  After that, it shouldn't take 
long to get the TLD zones signed as well.

So I *think* we're well on our way to getting this issue resolved. Now 
that I have the tools to generate the appropriate data, the rest seems 
fairly simple.