Lads, Isn't this getting ridiculous?
Is this the future of DNSSEC? Ian -----Original Message----- From: bind-users-bounces+ian.t=thoughtbubble....@lists.isc.org [mailto:bind-users-bounces+ian.t=thoughtbubble....@lists.isc.org] On Behalf Of Mark Andrews Sent: 13 November 2010 00:36 To: Phil Mayers Cc: bind-users@lists.isc.org Subject: Re: DNSSEC with 9.7.2-P2 In message <4cdd6467.9050...@imperial.ac.uk>, Phil Mayers writes: > On 12/11/10 15:45, Lightner, Jeff wrote: > > > For Production (RPM based system) you should use RHEL or CentOS > > which has a much longer life cycle. (Speaking of which, RHEL6 was > > just put in > > I don't agree with your line of reasoning. RHEL may have longer update > cycles, but there's no guarantee a particular RHEL install will be > applying updates in real-time, so the keys in the dnssec-conf package > may still get out of date, or a RHEL install may run after it's 5-year > update cycle ends. > > I think the dnssec-conf package should have had a nightly cron job to > refresh these keys, and it was a mistake to deploy without such. > > Just my opinion of course. > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users I use the following scripts (update-trusted-keys and commit-trusted-keys) to manage my trust anchors. I run update-trusted-keys nightly from cron and manually update when I get email that there has been a change. update-trusted-keys replaces the trust anchor when the tld gets a DS record added to the root zone. With no arguements it just updates the current list of zones listed is /etc/trusted-keys. To bootstrap the process run it with a "." and the TLDs. e.g. /etc/update-trusted-keys . br org com net .... and then add a include line to each zone to /etc/named.conf. e.g. include "/etc/trusted-keys/ROOT"; include "/etc/trusted-keys/br"; include "/etc/trusted-keys/org"; include "/etc/trusted-keys/com"; include "/etc/trusted-keys/net"; Mark /etc/update-trusted-keys: #!/bin/sh -f # # The directory containing the trusted keys. # d=/etc/trusted-keys # If we havn't been given a list of zones then get the list # of zones from trusted-keys directory excluding files that # may have been the result of mapping the zone name to something # suitable for the file system. # if test ! -n "$*" then set `ls "${d}/" | grep -v .new | grep -v _ | sed 's/^ROOT$/./'` fi # # For each zone attempt to get the DNSKEY RRset. This will be # validated by the the nameserver before being returned to us. # If there are keys with the KSK flag set then use them to create # a new trusted-key set otherwise use all keys. # # Report when the trusted-key set has changed. # # Note: this code assumes that there is a proper key rollover # where multiple keys are active for a significant amount of time # for i in $@ do f=`echo "${i}" | tr '[A-Z/ ]' '[a-z__]'` n=".new-${f}" i=`echo "${i}" | tr '[A-Z]' '[a-z]'` case $i in .) f="ROOT"; n=".new-ROOT";; *.) ;; *) i=${i}.;; esac case ${i} in .) DS=0;; *) DS=`/usr/local/bin/dig +noall +answer DS "${i}" @127.0.0.1 | grep -v '^;;' | wc -l | sed 's/ *//g'`;; esac REM="" if test ${DS} -gt 0 then if test `expr "${i}" : '^[a-z0-9-][a-z0-9-]*\.$'` != 0 then REM="// " fi fi /usr/local/bin/dig +noall +answer dnskey "${i}" @127.0.0.1 | sort | awk -v DS=${DS} -v REM="${REM}" ' BEGIN { ksks = ""; zsks = ""; } $4 == "DNSKEY" && $5 == "257" { key = ""; for (i = 8; i <= NF; i++) key = key $i; if (key ~ /INVALID/) REM="// "; ksks = ksks "\t" REM $1 " " $5 " " $6 " " $7 " \"" key "\";\n"; next; } $4 == "DNSKEY" && $5 == "256" { key = ""; for (i = 8; i <= NF; i++) key = key $i; if (key ~ /INVALID/) REM="// "; zsks = zsks "\t" REM $1 " " $5 " " $6 " " $7 " \"" key "\";\n"; } END { if ( ksks != "" ) { print "trusted-keys {" if (DS != 0) print "\n\t/* " DS " DS records found. */\n"; print ksks "};"; } else if (zsks != "") { print "trusted-keys {" if (DS != 0) print "\n\t/* " DS " DS records found. */\n"; print zsks "};"; } } ' > "${d}/${n}" # # Test to see if we actually wrote anything. # if test -s "${d}/${n}" then if ! test -f "${d}/${f}" then touch "${d}/${f}" fi diff -u "${d}/${f}" "${d}/${n}" elif test -s "${d}/${f}" then diff -u "${d}/${f}" "${d}/${n}" fi done cd /etc fetch -qm https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt diff -u ripe-ncc-dnssec-keys.conf ripe-ncc-dnssec-keys-new.txt /etc/commit-trusted-keys: #!/bin/sh reload=no for i in /etc/trusted-keys/.new-* do b=`echo "${i}" | sed s/.new-//` if test ! -s "${b}" -a ! -s "${i}" then continue; fi if ! diff -u "$b" "$i" then echo -n "update $b: " read ans ans=`echo "$ans" |tr '[A-Z]' '[a-z]'` case "$ans" in y|yes) mv "${i}" "${b}" reload=yes ;; esac fi done b=/etc/ripe-ncc-dnssec-keys.conf i=/etc/ripe-ncc-dnssec-keys-new.txt if ! diff -u "$b" "$i" then echo -n "update $b: " read ans ans=`echo "$ans" |tr '[A-Z]' '[a-z]'` case "$ans" in y|yes) mv $i $b reload=yes ;; esac fi case $reload in yes) rndc reload ;; esac -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
