Re: Roadmap for DNSSEC signing/automation?

[Tony Finch]

Evan Hunt  wrote:
>
> KSK rollovers are still trickier since they require interaction with
> your parent zone. I hope to get support for CDS/CDNSKEY signaling into
> dnssec-keymgr, but whether that ultimately will be useful or not depends
> on whether domain registrars make use of it.

Even if your parent doesn't have RFC 7344 support, they probably have some
API you can use (or if you are really stuck you can script their website
with a headless browser). The interlocks and checking that dhssec-keymgr
needs for RFC 7344 will also be useful for supporting generic delegation
update API hooks.

This is one of my longstanging background projects (very slow incremental
progress) both as a parent (e.g. dnssec-cds) and as a child (why I learned
about headless browsers, ugh).

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fair Isle: Variable 4 at first in east, otherwise southeast 5 to 7, perhaps
gale 8 later. Moderate or rough. Fair. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Roadmap for DNSSEC signing/automation?

[Evan Hunt]

On Tue, Mar 13, 2018 at 12:30:57PM -0400, Jim Popovitch via bind-users wrote:
> Is there a roadmap for DNSSEC signing capabilities?   I'm specifically
> wondering if any features are planned to fully automate signing, such
> as being able to specify simple zone options like "dnssec-cycle=90d;"
> and having bind9 fully manage this, perpetually.

There are no plans to have named generate keys by itself. However, you can
run the "dnssec-keymgr" tool in a cron job and it'll keep your keys up to
date according to a defined policy, generating new ones as needed, and then
named will use them.  In this way you can fully automate ZSK rollovers.

KSK rollovers are still trickier since they require interaction with
your parent zone. I hope to get support for CDS/CDNSKEY signaling into
dnssec-keymgr, but whether that ultimately will be useful or not depends
on whether domain registrars make use of it.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Roadmap for DNSSEC signing/automation?

[Jim Popovitch via bind-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

Is there a roadmap for DNSSEC signing capabilities?   I'm specifically
wondering if any features are planned to fully automate signing, such
as being able to specify simple zone options like "dnssec-cycle=90d;"
and having bind9 fully manage this, perpetually.

Thx,

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlqn/MAACgkQJxVetMRa
JwUIRhAAmB7SewSVkChuKRMqnZdPAvjA30vXOqQFUUiMD91waGhhzlWIesuL5PfH
uU9UrBLp6O2V+tZTAPvnogJeIBa7zm1QB9LXK4wWqhyU+ywu4ADS6Fzt6OFgWL08
y5xXuZK+NxcxjgV7UIj+l8gj4d1zF/i6Cv921FmWshPAQ+TL4Ad+9Ygs3s0ak7AH
TnsxsoY9KisHLSdiJRwCxctk2gT3JAg9Lz9bbAdQyolghpc3t+roKznwdq+Le04J
Z7yrmzp+GTZ8FyTqxrV4pi0sIa3lXnKvzasbBLal9sLtrxPyiH//q9Qfn4v/KzQI
CImw5nnIhGI8lPi2o8nyYLqmjKKdFGfNli6JDRq6sCT/QM+6XVgWMtdbuUllT7hX
Ku0ksEYHHZQ9z0VqearNukVaDwGV0KWVKWFHScyRMbQIplLiDAQprvsoIOz+SXsL
bhV5ZmspBCkIytGGMvn3L7Y/SXReoi5J4nSnNSH3OtpETu702JvG5Phw+cnu+PLH
x+7HEj8iQY+vH6SUgbyUObfHlsTUqNCS0VIvJMEPZ/+KX5G0P1bD8CEgJLirPQjQ
raZ7vEu4nG/CdEiAFp2BO0QP5qEikdeIErKF1m2WQX3SbsdETtrgJIIhKvBunmYY
RqmGyKlIXBnniMVwYQNTYGMQWU1ZC1B3Y6XB4wAYrKfE3HUAG1A=
=QdWK
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

[Tony Finch]

Mark Andrews  wrote:

> While it will speed up things slightly it won’t avoid the issue as TTLs
> vary.

Oh, duh, I should have thought of that. Thanks for pointing it out :-)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fisher, German Bight: Variable, becoming southeast 3 or 4, occasionally 5
later. Slight or moderate. Rain then fair. Good, occasionally poor at first.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TLD Registries supporting RFC 7344/8078

[Stephane Bortzmeyer]

On Tue, Mar 13, 2018 at 10:52:50AM +0100,
 Carsten Strotmann  wrote 
 a message of 19 lines which said:

> is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078)
> already support at the TLD level somewhere? I know it is implemented
> in BIND 9.11+ and Knot, but can it be used in the real Internet :)

I believe that .cz does it, you have to ask your neighbors.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

TLD Registries supporting RFC 7344/8078

[Carsten Strotmann]

Hi,

is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) already
support at the TLD level somewhere? I know it is implemented in BIND
9.11+ and Knot, but can it be used in the real Internet :)

I searched the usual places but cannot find any information indicating
support at TLD level.

Greetings

Carsten

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users