Re: [zkt-users] zkt key format and smart signing?
Didn't see this earlier for some reason ... Holger Zuleger 2013-01-10 23:35: Hi Brian, I've been exploring various dnssec key management tools out there of late and ran across this one, which I think is my favorite so far. sounds good. I say "key management", since originally, my intention was just to find something that would help me in doing the key rollover and lifetime selection and setting for the standard bind9 dnssec-keygen tool, dump those all in the same directory (the key repository if you will) and then I was just going to use dnssec-signzone -S "smart signing" to have it use the timestamp values in those keys to figure out which DNSKEY entries and DS entries to include. I didn't checked it myself, but maybe DSKM [1] fulfills your needs. Thanks for the tip. This does look interesting, but so far I think zkt is still a better match for our environment. ... It seems that zkt can do some of the "smart signing" (inclusion of appropriate ds and dnskey records) as well, though requires a different zone layout for me to be able to use it. You have to $INCLUDE dnskey.db, and if you like to use a soa serial format of yyymmddnnn, then the SOA record needs a special layout. Yeah, all of that was fine. Just the directory layout, but that was easy enough to change. The rest has been in tracking down other problems with things like cidr domains and a careful dance between full paths and relative paths. My question was whether the two methods are compatible (looks to be not since the comment headers are different and the zkt-signer.c source specifically includes the -C compatibility option for newer dnssec-keygen bind9 tools), OR if there's any intention to make zkt make use of the smart signing stuff and that key format in the future? First of all, yes you are right. ZKT was implemented at a time as BIND was not able to sign the zone automatically. With BIND 9.7 and moreover since the very cool inline signing feature of BIND 9.9, the resigning of the zone should be done by BIND itself. I am thinking about a new ZKT version with the primary use of key rollover, but it requires a lot of re-coding and, to be honest, I don't have the resources to do it right now. I hear ya. I for one would appreciate it. Cheers, Brian signature.asc Description: Digital signature -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
Re: [zkt-users] zkt key format and smart signing?
Hi Brian, I've been exploring various dnssec key management tools out there of late and ran across this one, which I think is my favorite so far. sounds good. I say "key management", since originally, my intention was just to find something that would help me in doing the key rollover and lifetime selection and setting for the standard bind9 dnssec-keygen tool, dump those all in the same directory (the key repository if you will) and then I was just going to use dnssec-signzone -S "smart signing" to have it use the timestamp values in those keys to figure out which DNSKEY entries and DS entries to include. I didn't checked it myself, but maybe DSKM [1] fulfills your needs. ... It seems that zkt can do some of the "smart signing" (inclusion of appropriate ds and dnskey records) as well, though requires a different zone layout for me to be able to use it. You have to $INCLUDE dnskey.db, and if you like to use a soa serial format of yyymmddnnn, then the SOA record needs a special layout. My question was whether the two methods are compatible (looks to be not since the comment headers are different and the zkt-signer.c source specifically includes the -C compatibility option for newer dnssec-keygen bind9 tools), OR if there's any intention to make zkt make use of the smart signing stuff and that key format in the future? First of all, yes you are right. ZKT was implemented at a time as BIND was not able to sign the zone automatically. With BIND 9.7 and moreover since the very cool inline signing feature of BIND 9.9, the resigning of the zone should be done by BIND itself. I am thinking about a new ZKT version with the primary use of key rollover, but it requires a lot of re-coding and, to be honest, I don't have the resources to do it right now. Best regards Holger [1] https://github.com/mc3/DSKM smime.p7s Description: S/MIME Kryptografische Unterschrift -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
Re: [zkt-users] zkt key format and smart signing?
On 1/10/13 12:17 PM, Brian Kroth wrote: > It seems that zkt can do some of the "smart signing" (inclusion of > appropriate ds and dnskey records) as well, though requires a different > zone layout for me to be able to use it. This only answers a small portion of your overall question, but one easy way to get a zonefile into the format that zkt wants is to use named-compilezone in the BIND distribution. named-compilezone (simply a different invocation of named-checkzone) also does sanity/syntax checking on the zone itself, so that's an added benefit. When I worked at UC Berkeley, I used zkt for the signing and key management of hundreds of zones, and adding named-compilezone to all of the perl goo that manages zonefiles and builds them out from the backend database was really easy. Then all I had to do was let zkt do its magic. Some reasonable invocation of 'named-compilezone -F text' will work for this purpose. michael -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 ___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
Re: [zkt-users] zkt key format and smart signing?
Michael Sinatra 2013-01-10 13:58: On 1/10/13 12:17 PM, Brian Kroth wrote: It seems that zkt can do some of the "smart signing" (inclusion of appropriate ds and dnskey records) as well, though requires a different zone layout for me to be able to use it. This only answers a small portion of your overall question, but one easy way to get a zonefile into the format that zkt wants is to use named-compilezone in the BIND distribution. named-compilezone (simply a different invocation of named-checkzone) also does sanity/syntax checking on the zone itself, so that's an added benefit. When I worked at UC Berkeley, I used zkt for the signing and key management of hundreds of zones, and adding named-compilezone to all of the perl goo that manages zonefiles and builds them out from the backend database was really easy. Then all I had to do was let zkt do its magic. Some reasonable invocation of 'named-compilezone -F text' will work for this purpose. michael Yeah, we already do that (UW Madison CoE). The rest of it is reorganizing things into a hierarchical directory structure, which isn't that hard to do, but I didn't want to go through the effort if I could avoid it. Right now everything is just in one flat directory and since I never need to go look at things manually, I don't really care about how well it's organized. It also turns out to be more along the lines of what the smart signing dnssec-signzone option wants, but then I have to implement all of the key management policies on my own which is a pain to parse, code up, and automate according to RFC standards - which is what zkt seems to have done already (more or less). So, did you use zkt to do the signing or just the key management? Mind sharing some of the details (if you still have them)? Thanks, Brian signature.asc Description: Digital signature -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users