Hi, I'm currently working on a system that should automate all the stuff around zone signing, including the update of the DNSKEY material. I see this as a proove of concept. My needs are that everything works without me doing something manual, because I have this for some DNSSEC zones managed by Bind. KSK rollovers have to be performed manual and I want to get rid of this.
When I suppose the passed DNSKEYs to be wrong, I could add an extra check to be sure that the DNSKEYs of the zone served on the nameservers match the one that should be send to the registry. When using a .DE domain, the registry will perform exactly this check. I can even use the Denic check as a web service to check if the DNSKEYs that OpenDNSSEC passen to my script, are correct. So I think it might be a safe solution. The upload of the DNSKEY material is no problem. My registrar provides an interface that uses DNSKEY as input, not depending on the TLD of the domain that is used. My registrar does all the DS calculation, if needed. And I also think that this way should be safe, because you can plugin an EPP client, that would perform the updates with the registry direct. Greetings Volker On Wed, 22 Jun 2011 12:48:48 +0200, Casper Gielen <[email protected]> wrote: > Op 22-06-11 12:33, Volker Janzen schreef: >> Hi, >> >> okay, but when I want a complete automation of the roll-over process, >> I'd need something around OpenDNSSEC that manages: >> >> - send DNSKEY data that is supplied by OpenDNSSEC to registrar > > For my environment I've decided that I don't want this step to be > automated. From a security point of view I think its a good idea to > have a human manage the uploading of keys. > Secondly, fixing a wrong/broken KSK seems rather involving and time > consuming, I'd prefer to make sure this never happens. > (Thirdly, as far as I know there is no standarized way for uploading > keys. My parent expects the keys to be mailed). _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
