On Fri, Jun 27, 2014 at 01:26:07AM +0200, Michael Ströder wrote:
k...@rice.edu wrote:
On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
For the DNSSEC part, is there a way to create the DNSSEC information just
by SQL ?
If not, the solution is to run pdnssec secure-zone ZONE in a loop on a
cron script, am I right?
I do not know about a SQL only solution for MySQL DNSSEC signing, but I
know that there is a sample schema for Oracle that includes the needed
triggers and functions and that I have a basically complete version of
the same for PostgreSQL that I will be submitting to the PDNS folks once
we have it vetted for production.
Hmm, am I the only one who is concerned about the security of the signing
process?
Please don't get me wrong. But people are advocating DANE nowadays and aim to
completely replace X.509 certs with that. So security of the signed RRs is
crucial just like issuing X.509 certs. And yes, I know that it's hard to
achieve a higher level of operational security.
Ciao, Michael.
Hi Michael,
DNSSEC allows a domain owner to be as secure or insecure as they want to be.
You can do online or offline signing.
Or do part of the signing online and part of it offline, because DNSSEC allows
the use of a Zone Signing Key and a Key Signing Key for your domain.
Or you can choose to not use DNSSEC at all.
Online signing is similar to most VPN- and SSL/TLS-deployments, like
HTTPS/POP3S/IMAPS.
Offline signing allows you put the key in a 24/7 guarded safe.
Most Certificate Authorities do online signing too. Just look at OCSP.
Pobably they only use that for their sub-CAs (that is the certificate of the
intermediate you need when you deploy for HTTPS, etc.).
Does that now make you less or more concerned ?
Have a good weekend,
Leen.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
