Hi Johan, I had a go six months ago with an attempt to use BIND and its online signing. I even tried to build it with SoftHSM but never got it to work properly. I ended up sticking with ODS for the foreseeable future. IMHO ODS is quite solid and the BIND solution doesn't seem quite ready exactly as you see it.
Regards, /Henke *Henrik Dahlberg* Founder/CEO +46 70 938 3069 *https://dnsmonitor.com <http://www.dnsmonitor.com>* On Mon, Sep 7, 2020 at 10:17 AM Johan A Bergstrom via Opendnssec-user < [email protected]> wrote: > Hello. > > So I am looking to redesign our DNS infrastructure and I am in discussions > with some other architects about the DNSSEC support implementation. > > We have been running OpenDNSSEC since 1.4.0 and we are quite happy with > it, have been able to automate a lot of zone/DNSSEC management in this > solution, but now we need to refresh the whole infrastructure and my > colleagues are looking into Bind as a standalone solution now that is has > support for inline signing and KASP and more. > > The pro's I see is in OpenDNSSEC are that the keys are managed with > better/higher security in mind, SoftHSM (or HW HSM module), in bind it's > still just keeping private keypairs in the filesystem although can be in an > alternate location from the zonefiles. > > The con's I see in OpenDNSSEC are that the setup is much more complex, and > troubleshooting it requires deeper infrastructural knowledge. > > My colleagues are arguing that Bind will eventually make OpenDNSSEC > obsolete, which might happen, but the timeframe I see for this is quite > long, maybe in 4-5 years as they have just recently implemented KASP, still > missing the HSM management for private keys, which is the most important > part security wise in my perspective. > > In an overview, I am looking to implement the DNSSEC > management/signing/security part inhouse, and put nameserver slaves in > containers/vms around available clouds. > > More pro's/con's regarding either solution, what do you guys think? > > Hälsningar / Best regards, > > Johan Bergström, Lead Technical Architect / Linux > TietoEVRY, ZSH Hybrid Infra > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
