Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
Stephane Bortzmeyer wrote: There is nothing about key rollover, it seems? How do you handle it? I don't. (Well, for now the plan is to do it once a year by hand. Then, we'll see...) Regards, Eugene signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. Thanks, -- Nicholas signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
Nicholas Wheeler wrote: On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. And there are lots of other opinions on this timing as well. Rolling ZSK using BIND 9.7 is amazingly easy - I'm planning on writing a short paper on this as time permits. Rolling KSK is a bit more difficult as there aren't a lot of registrars that have the ability to accept DS records at this point anyway, and I don't see them implementing RFC-5011 personally... It's coming, it's just not here quite yet. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
On Tue, 23 Feb 2010, Alan Clegg wrote: For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. And there are lots of other opinions on this timing as well. Note that you cannot really talk about rolling key recommendations without mentioning the key sizes (and algorithms) involved. I believe the above NIST recommendation is for 1024 bit RSASHA1 ZSK's and 2048 bit RSASHA1 2048 bit keys. They might also apply to RSASHA256 keys. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
Date: Tue, 23 Feb 2010 16:02:27 -0500 From: Alan Clegg acl...@isc.org Sender: bind-users-bounces+oberman=es@lists.isc.org Nicholas Wheeler wrote: On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. My copy of SP800-81r1 says ZSK 1 month and KSK 1-2 years. It also recommends a 2048 bit key for both KSK and ZSK. It was still draft when I printed it out, but I suspect that the final draft will match these recommendations. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC: Configuring auto-signed dynamic zone HOWTO
Please comment! Eugene === HOW TO CONFIGURE AUTO-SIGNED DYNAMIC ZONES WITH BIND9 This document describes how to configure bind9 to automatically sign zones as they are being modified by dynamic update mechanism. It is assumed that you already know how to configure manually signed zones [1] and know how to configure zones for dynamic updates [2]. For the purpose of this discussion, we presume that you control the parent zone 'example.com' which does not allow dynamic updates and is manually signed. The child zone 'dyn.example.com' is set up for dynamic updates. Your 'named' is not run in chroot environment, and executes under effective uid 'bind' and gid 'bind'. Bind configuration files and manually signed zones are kept in directory /etc/bind which is readable but not writable by 'bind' uid, and dynamically updatable zones are kept in directory /var/cache/bind which is readable and writable by 'bind' uid. The following are the steps to make 'dyn.example.com' zone automatically signed: 0. Make sure that you are using bind version 9.6 or later. 1. Create a directory to contain zone keys the are visible to named and therefore available to auto- signing mechanism: # mkdir /etc/bind/keys # chgrp bind /etc/bind/keys # chmod 0750 /etc/bind/keys 2. Create zone-signing keys for the zone 'dyn.example.com' and make the private key readable to 'bind' uid: # cd /etc/bind/keys # dnssec-keygen -a RSASHA1 -b 1024 \ -n ZONE dyn.example.com # chgrp bind *.private # chmod 0640 *.private 3. Include DNSKEY into 'dyn.example.com' zone and manually sign it. The file must be made writable to 'bind' uid: # cd /var/cache/bind # rndc freeze dyn.example.com edit the file 'dyn.example.com' and add this line: '$include /etc/bind/keys/Kdyn.example.com.[...].key' (substitute the actual name of the key file) # dnssec-signzone -g -d /etc/bind/keys \ dyn.example.com \ /etc/bind/keys/Kdyn.example.com.[...].private (substitute the actual name of the key file) This step will create the file dyn.example.com.signed, and in addition to that, the file '/etc/bind/keys/dsset-dyn.example.com.'. # chown bind:bind dyn.example.com.signed 4. Include DS records into the parent zone: # cd /etc/bind edit the file example.com and add this line: '$include keys/dsset-dyn.example.com.' (don't forget to also update the zone's serial.) Manually sign the 'example.com' zone as you usually do. 5. Update bind's configuration: In the definition of 'dyn.example' zone, change the line 'file /var/cache/bind/dyn.example.com;' to 'file /var/cache/bind/dyn.example.com.signed;' In the 'options' section, add this lines: 'sig-validity-interval 2400;' 'key-directory /etc/bind/keys;' (substitute '2400' to whatever period you deem appropriate. 2400 is 40 minutes.) 6. Make named re-read the configuration and thaw the dynamic zone: # rndc reload # rndc thaw dyn.example.com 7. Check that things work as expected. References: [1] http://www.nlnetlabs.nl/publications/dnssec_howto/index.html DNSSEC HOWTO, a tutorial in disguise, by Olaf Kolkman [2] http://answers.oreilly.com/topic/192-how-to-allow-dynamic-updates-with-bind/ How to allow dynamic updates with BIND, O'Reilly Answers === signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone
Mark Andrews wrote: I would like to make dynamic zone automatically signed. Firstly upgrade to BIND 9.6.0 or later as it supports re-signing [etc] Thanks Mark! With your directions, I got the system airborne in no time. Do you think there is an appropriate place somewhere for a small one-page HOWTO? I could document what I did and submit the result... Regards, Eugene signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone
On 2010-02-16 13:32, Eugene Crosser wrote: Do you think there is an appropriate place somewhere for a small one-page HOWTO? I could document what I did and submit the result... I for one would be interested! Niobos ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC: Configuring auto-signed dynamic zone
Hello everyone, I am new here. I am running a manually signed zone (average.org) for my domain for some time now. I also have a separate subdomain zone (dyn.average.org) that allows dynamic updates, and that is currently not signed. Bind version is 9.5.1. (debian stable). I would like to make dynamic zone automatically signed. I did not find any documentation about how to do that, but from reading the manuals and other people's notes in this maillist, I figured that I probably need to put both private and public keys for the zone in a directory configured as key-directory and make them readable to the bind's userid. But what else? - do I need to sign the zone initially by hand? - do I need to insert the DNSKEY public key record into the zone - or should I include it into the upper zone? I don't want to make private KSK readable by bind, only ZSK for this one zone. So, apparently I need to arrange things in such a way that DNSKEY for dyn.average.org is signed manually. Will it suffice to put it into average.org zone and re-sign it manually? What else do I need to take care of? Thanks in advance! Eugene signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users