>>>>> On Wed, 13 Aug 2008 19:21:44 +0200, Ralf Weber <[EMAIL PROTECTED]> said:
RW> Hmm, assuming that we both did use the same name server software my RW> experiences are different. Compared to regular DNS setting up and more RW> importantly maintaining DNSSEC is much more work than normal DNS stuff RW> (zone resigning, key rollover) . I am not saying that the cost RW> generally outweighs the benefit, but with the current tools it is RW> hard to justify DNSSEC usage, at least for the majority of ISPs out RW> there. But I do hope that the tools get better and thus the cost of RW> deploying DNSSEC decreases and we will all happily use it and can RW> justify it's usage. I suspect there are many different tools out there and some are easier than others. Here's a screen dump of stuff that works easily for me: # yum install dnssec-tools # head example.com $TTL 3600 ; File written on Thu Dec 23 14:13:02 2004 ; dnssec_signzone version 9.3.0 example.com. 600 IN SOA test.example.com. admin.example.com. ( 2004121002 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 600 ; minimum (10 minutes) ) # zonesigner -genkeys example.com if zonesigner appears hung, strike keys until the program completes (see the "Entropy" section in the man page for details) zone signed successfully example.com: KSK (cur) 36712 -b 2048 08/13/08 (example.com-signset-3) ZSK (cur) 01857 -b 1024 08/13/08 (example.com-signset-1) ZSK (pub) 53523 -b 1024 08/13/08 (example.com-signset-2) zone will expire in 4 weeks, 2 days, 0 seconds DO NOT delete the keys until this time has passed. # cp example.com.signed /etc/named/ # rndc reload Oh wait... i need another record and need to resign... # echo "test.example.com. 1D IN A 127.0.0.1" >> example.com # zonesigner example.com if zonesigner appears hung, strike keys until the program completes (see the "Entropy" section in the man page for details) zone signed successfully example.com: KSK (cur) 36712 -b 2048 08/13/08 (example.com-signset-3) ZSK (cur) 01857 -b 1024 08/13/08 (example.com-signset-1) ZSK (pub) 53523 -b 1024 08/13/08 (example.com-signset-2) zone will expire in 4 weeks, 2 days, 0 seconds DO NOT delete the keys until this time has passed. # cp example.com.signed /etc/named/ # rndc reload Not too hard really. The only thing you need to add to your current step for distributing a zone is one new line (the zonesigner line). The hardest thing you need to do, IMHO, is make sure you redistribute a new zone before the current set of stuff expires. IE, publish it once a month (using the default setup shown above). And if that's the hardest thing for me to do then I don't consider that hard. -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop