subject:"Re\: Full automatic DNSSEC for hosted zones\/domains"

Re: Full automatic DNSSEC for hosted zones/domains

2020-04-08 Thread Matthijs Mekking

Hi Philippe,

On 4/7/20 3:46 PM, Philippe Maechler wrote:
> Hello bind users
> 
>> The answer is almost, as long as the zone has a DNSSEC policy configured:
>>
>> zone "newdomain.de" {
>>   type master;
>>   file "../master/newdomain.de";
>>   dnssec-policy default;
>> }
>>
>> The only thing not yet fully automated is submitting the DS to the
>> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
>> the zone.
> 
> So you're saying, that with a DNSSEC policy configured, bind is creating CDS 
> records for me? If so, then when my registrar is supporting those records 
> (switch.ch), this zone fully automated in regards of DNSSEC?
> Is the creation of CDS Records a config option or on by default?

Yes, that is right. The creation of CDS and CDNSKEY records happens
always and cannot be turned off with an option.


> What about going from secure to insecure? Is this possible with dnssec policy 
> or do I then have to put the relevant CDS records in the zone by hand?

This is not possible yet with dnssec-policy. I suggest to put the
deletion CDS record in the zone, set dnssec-policy to none, and
dnssec-signzone your zone temporarily.

Best regards,

Matthijs


> 
> Best regards
> Philippe
> 
> 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Full automatic DNSSEC for hosted zones/domains

2020-04-07 Thread Matthias Fechner

Am 07.04.2020 um 10:55 schrieb Matthias Fechner:
> After bind was reloaded/restarted, it automatically creates the required
> keys and fully maintain the zone, do key rollover, everything required
> fully by itself?

I got a private email pointing my to some webinars explaining the dnssec.
I found them here:
https://www.youtube.com/watch?v=MheHMWCOTvE=PLUwyH0o3uuICgnbQj_lQajRI_CzewZr7q

I can really recommend this.
It brings a lot of information nicely explained, very very helpful!

I will continue with the series and will come back with some more
specific questions ;)

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Full automatic DNSSEC for hosted zones/domains

2020-04-07 Thread Philippe Maechler

Hello bind users

> The answer is almost, as long as the zone has a DNSSEC policy configured:
> 
> zone "newdomain.de" {
>   type master;
>   file "../master/newdomain.de";
>   dnssec-policy default;
> }
>
> The only thing not yet fully automated is submitting the DS to the
> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
> the zone.

So you're saying, that with a DNSSEC policy configured, bind is creating CDS 
records for me? If so, then when my registrar is supporting those records 
(switch.ch), this zone fully automated in regards of DNSSEC?
Is the creation of CDS Records a config option or on by default?

What about going from secure to insecure? Is this possible with dnssec policy 
or do I then have to put the relevant CDS records in the zone by hand?

Best regards
Philippe


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Full automatic DNSSEC for hosted zones/domains

2020-04-07 Thread Matthijs Mekking

Hi Matthias,

The answer is almost, as long as the zone has a DNSSEC policy configured:

zone "newdomain.de" {
   type master;
   file "../master/newdomain.de";
   dnssec-policy default;
}

The only thing not yet fully automated is submitting the DS to the
parent. You can do that as soon as named puts the CDS/CDNSKEY records in
the zone.

Best regards,
Matthijs

On 4/7/20 10:55 AM, Matthias Fechner wrote:
> Dear all,
> 
> is bind (version 9.16.1) able to do all DNSSEC required steps fully by
> itself.
> 
> So I only create a new zone for a domain and include it like for
> newdomain.de:
> zone "newdomain.de" {
>   type master;
>   file "../master/newdomain.de";
>   ...
> }
> 
> After bind was reloaded/restarted, it automatically creates the required
> keys and fully maintain the zone, do key rollover, everything required
> fully by itself?
> 
> Gruß
> Matthias
> 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Full automatic DNSSEC for hosted zones/domains

Re: Full automatic DNSSEC for hosted zones/domains

RE: Full automatic DNSSEC for hosted zones/domains

Re: Full automatic DNSSEC for hosted zones/domains

4 matches

Site Navigation

Mail list logo

Footer information