Re: DNSSEC made simple, is this possible?
Hello Howard Leadmon, Am 2012-01-11 10:31:11, hacktest Du folgendes herunter: Then I go to make a change to my DNS file, whoa was I in for a shock, as :-D So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? Why not use nsupdate? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing http://www.itsystems.tamay-dogan.net/ itsystems@tdnet Jabber linux4miche...@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC made simple, is this possible?
OK, in an attempt to start using DNSSEC over here, I suppose I bit myself in the backside, and even spending some time using googlefu I still haven't quite figured this all out. I am currently running the current BIND 9.8.1, and setup to support DNSSEC. After reading around a bit, I saw that setting auto-dnssec in the config would read in the keys and sign the zones automatically, this seemed in theory to be perfect, so I configured it this way. After that the domains were signed, and going to places like the verisign debugger showed my domain was happily secured with DNSSEC. Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and converted it into a full signed zone. Try and edit that file, and if course it bitches about it no longer matching the .jnl file and drops the zone.This sure makes it hard to update things, well the way I am used to doing it. So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? I can't believe there aren't a lot of others that have run DNS just as I have for years and years, and just want a nice simple way to keep using BIND and implementing the new security for the domains I manage. I have googled till I have about turned blue, and maybe I am missing it, but I have seen some very complex keymanagement systems and so forth, I have no need for anything that complex, so figure I am missing the solution that is hiding someplace. Any pointers?? --- Howard Leadmon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
You want BIND 9.9 (currently 9.9.0rc1) with inline signing. This will do exactly what you want, I think. --Michael On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote: OK, in an attempt to start using DNSSEC over here, I suppose I bit myself in the backside, and even spending some time using googlefu I still haven't quite figured this all out. I am currently running the current BIND 9.8.1, and setup to support DNSSEC. After reading around a bit, I saw that setting auto-dnssec in the config would read in the keys and sign the zones automatically, this seemed in theory to be perfect, so I configured it this way. After that the domains were signed, and going to places like the verisign debugger showed my domain was happily secured with DNSSEC. Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and converted it into a full signed zone. Try and edit that file, and if course it bitches about it no longer matching the .jnl file and drops the zone.This sure makes it hard to update things, well the way I am used to doing it. So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? I can't believe there aren't a lot of others that have run DNS just as I have for years and years, and just want a nice simple way to keep using BIND and implementing the new security for the domains I manage. I have googled till I have about turned blue, and maybe I am missing it, but I have seen some very complex keymanagement systems and so forth, I have no need for anything that complex, so figure I am missing the solution that is hiding someplace. Any pointers?? --- Howard Leadmon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
On 11/01/12 15:31, Howard Leadmon wrote: Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and As you found out, you cannot do that. auto-dnssec maintain requires that updates to the zone by via dynamic DNS. So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? This is called inline-signing and is a new feature in Bind 9.9, which is in beta. There is some discussion of the limitations and early bugs in the list archive. Google bind 9.9 inline signing for more info, and see the list archives. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9 today. While the first one starts in 15 minutes as I write this message, there are a total of three sessions today. Head on over to http://www.isc.org/webinar to find out the times and information on how to join. Sorry for my rather short answer before, but I wanted to check that this was indeed a public presentation before I sent people to a customer-only one. --Michael On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote: OK, in an attempt to start using DNSSEC over here, I suppose I bit myself in the backside, and even spending some time using googlefu I still haven't quite figured this all out. I am currently running the current BIND 9.8.1, and setup to support DNSSEC. After reading around a bit, I saw that setting auto-dnssec in the config would read in the keys and sign the zones automatically, this seemed in theory to be perfect, so I configured it this way. After that the domains were signed, and going to places like the verisign debugger showed my domain was happily secured with DNSSEC. Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and converted it into a full signed zone. Try and edit that file, and if course it bitches about it no longer matching the .jnl file and drops the zone.This sure makes it hard to update things, well the way I am used to doing it. So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? I can't believe there aren't a lot of others that have run DNS just as I have for years and years, and just want a nice simple way to keep using BIND and implementing the new security for the domains I manage. I have googled till I have about turned blue, and maybe I am missing it, but I have seen some very complex keymanagement systems and so forth, I have no need for anything that complex, so figure I am missing the solution that is hiding someplace. Any pointers?? --- Howard Leadmon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
Howard Leadmon how...@leadmon.net wrote: So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? If you don't want to wait for BIND 9.9 inline-signing as others have mentioned, have a look at my nsdiff script: http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff (use perldoc to format the embedded documentation) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Sole: Variable 3 or 4. Moderate or rough. Mainly fair. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC made simple, is this possible?
Thanks, I will head on over and take a look, sounds like something I should be interested in.Now if FreeBSD would just add 9.9 to the ports collection, it would save me from having to build it by hand.. --- Howard Leadmon -Original Message- From: Michael Graff [mailto:mgr...@isc.org] Sent: Wednesday, January 11, 2012 10:48 AM To: Howard Leadmon Cc: bind-users@lists.isc.org Subject: Re: DNSSEC made simple, is this possible? ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9 today. While the first one starts in 15 minutes as I write this message, there are a total of three sessions today. Head on over to http://www.isc.org/webinar to find out the times and information on how to join. Sorry for my rather short answer before, but I wanted to check that this was indeed a public presentation before I sent people to a customer-only one. --Michael On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote: OK, in an attempt to start using DNSSEC over here, I suppose I bit myself in the backside, and even spending some time using googlefu I still haven't quite figured this all out. I am currently running the current BIND 9.8.1, and setup to support DNSSEC. After reading around a bit, I saw that setting auto-dnssec in the config would read in the keys and sign the zones automatically, this seemed in theory to be perfect, so I configured it this way. After that the domains were signed, and going to places like the verisign debugger showed my domain was happily secured with DNSSEC. Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and converted it into a full signed zone. Try and edit that file, and if course it bitches about it no longer matching the .jnl file and drops the zone.This sure makes it hard to update things, well the way I am used to doing it. So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? I can't believe there aren't a lot of others that have run DNS just as I have for years and years, and just want a nice simple way to keep using BIND and implementing the new security for the domains I manage. I have googled till I have about turned blue, and maybe I am missing it, but I have seen some very complex keymanagement systems and so forth, I have no need for anything that complex, so figure I am missing the solution that is hiding someplace. Any pointers?? --- Howard Leadmon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/11/2012 10:47 AM, Phil Mayers wrote: On 11/01/12 15:31, Howard Leadmon wrote: Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and As you found out, you cannot do that. auto-dnssec maintain requires that updates to the zone by via dynamic DNS. Not that this is honestly so hard, however. I have played with it at home some and the ns-update command means that you can still at least do this manually fairly easily from the command line. Is my read on that correct? So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? This is called inline-signing and is a new feature in Bind 9.9, which is in beta. There is some discussion of the limitations and early bugs in the list archive. Google bind 9.9 inline signing for more info, and see the list archives. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8NwSkACgkQmb+gadEcsb71IACfWL8E1aP6YX6nywtbF7+pETVk ZR8AoOBfZLHqCC2f6gqDIxJAm9szSRcT =Q0qZ -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC made simple, is this possible?
I took the ISC 2 day Intro to DNS and BIND class. The instructor made a good point that building from source frees you from the dependance on the distro's package maintainer. As part of the class, we had to compile bind from scratch. It was very straight forward ./configure, make, make install. Options to the configure step allowed customization of the install if needed, but the defaults are pretty good. In Ubuntu LTS versions, they do not update versions, other than minor revs for bug fixes. I have some that are running Ubuntu 8.04LTS with bind 9.4. I was worried with the recent vulnerability, but they quickly backported the fix. But they're still runniing 9.4. :( I am building new servers to replace them and I'm going with abare bones distro install and adding packages (compilers, etc) as I find I need them. But the servers will be much leaner in terms of what is on them. Perhaps other distros/flavors of *nix handle new versions differently. bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 01/11/2012 11:50:01 AM: Now if FreeBSD would just add 9.9 to the ports collection, it would save me from having to build it by hand.. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
On 11/01/12 17:04, Ryan Novosielski wrote: Not that this is honestly so hard, however. I have played with it at home some and the ns-update command means that you can still at least do this manually fairly easily from the command line. Is my read on that correct? Performing a dynamic DNS update is not hard. Integrating it into a workflow - might be a lot harder, depending on your workflow. (As it happens, we have used dynamic DNS to drive SQL - DNS updates for years now, primarily to gain the benefits of incremental updates) Something like Tony's nsdiff script (see his post) makes it relatively easy, but it's still another step. Personally I would encourage the OP to investigate dynamic DNS, but it's clear not everyone wants to - hence ISC have implemented inline-signing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
On 1/11/2012 8:50 AM, Howard Leadmon wrote: Now if FreeBSD would just add 9.9 to the ports collection I generally don't add new versions until they are released, but if there is sufficient interest I can take a look at adding this as a -devel version sooner rather than later. Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC made simple, is this possible?
Hello Doug, As always thanks for all the support for things like this on the FreeBSD side.That said, I'd love to see that happen, even as a -devel type port, since in general when ISC considers something an RC, it's pretty darn stable by the point. At the moment I use the 9.8.1 port, and it works like a charm, but if this inline signing is the key to supporting DNSSEC and being able to edit things like I have been used to doing for years, then I will build it by hand if needed.. --- Howard Leadmon -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Wednesday, January 11, 2012 12:21 PM To: Howard Leadmon Cc: 'Michael Graff'; bind-users@lists.isc.org Subject: Re: DNSSEC made simple, is this possible? On 1/11/2012 8:50 AM, Howard Leadmon wrote: Now if FreeBSD would just add 9.9 to the ports collection I generally don't add new versions until they are released, but if there is sufficient interest I can take a look at adding this as a -devel version sooner rather than later. Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
On 1/11/2012 9:27 AM, Howard Leadmon wrote: As always thanks for all the support for things like this on the FreeBSD side. My pleasure. That said, I'd love to see that happen, even as a -devel type port, since in general when ISC considers something an RC, it's pretty darn stable by the point. Just to be clear, the -devel tag is not meant as a commentary on the relative quality of the 3rd party code. Our policy is to use -devel to indicate this is the next version of $thing, which the vendor has not officially released yet. I wouldn't add it to the ports at all if I didn't think it was stable. :) Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
Phil Mayers p.may...@imperial.ac.uk wrote: Something like Tony's nsdiff script (see his post) makes it relatively easy, but it's still another step. It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Tyne, Dogger, Fisher, German Bight, Humber: West or southwest, veering northwest later, 4 or 5, increasing 6 to gale 8, occasionally severe gale 9 in Fisher, perhaps severe gale 9 later in Tyne, Dogger and German Bight. Moderate or rough, occasionally very rough. Rain or squally showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
Next great thing would be for ISC to support the Soft-HSM that OpenDNSSEC uses. I believe that this would make the step of moving to a real hardware HSM a lot easier (if necessary). softhsm works with BIND 9. It's cumbersome--you need special configure options and and a patched version of openssl--but it does work. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
Next great thing would be for ISC to support the Soft-HSM that OpenDNSSEC uses. I believe that this would make the step of moving to a real hardware HSM a lot easier (if necessary). BIND has supported the PKCS#11 interface (./configure --with-pkcs11) since 9.6 IIRC, so it ought to be possible to integrate. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
On Wed, 2012-01-11 at 19:26 +0100, Jan-Piet Mens wrote: Next great thing would be for ISC to support the Soft-HSM that OpenDNSSEC uses. I believe that this would make the step of moving to a real hardware HSM a lot easier (if necessary). BIND has supported the PKCS#11 interface (./configure --with-pkcs11) since 9.6 IIRC, so it ought to be possible to integrate. Humm... https://lists.isc.org/pipermail/bind-users/2010-October/081508.html (which was a failed attempt - and cry for help) Anyone have a successful go at this? (that is replicable) -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
Now if FreeBSD would just add 9.9 to the ports collection I generally don't add new versions until they are released, ISC said today in the inline-signing Webinar, that 9.9 would probably be released on February 7th. Maybe wait for that? -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users