Roadmap for DNSSEC signing/automation?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Roadmap for DNSSEC signing/automation?

Bind-Users forum mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Is there a roadmap for DNSSEC signing capabilities?   I'm specifically
wondering if any features are planned to fully automate signing, such
as being able to specify simple zone options like "dnssec-cycle=90d;"
and having bind9 fully manage this, perpetually.

Thx,

- -Jim P.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlqn/MAACgkQJxVetMRa
JwUIRhAAmB7SewSVkChuKRMqnZdPAvjA30vXOqQFUUiMD91waGhhzlWIesuL5PfH
uU9UrBLp6O2V+tZTAPvnogJeIBa7zm1QB9LXK4wWqhyU+ywu4ADS6Fzt6OFgWL08
y5xXuZK+NxcxjgV7UIj+l8gj4d1zF/i6Cv921FmWshPAQ+TL4Ad+9Ygs3s0ak7AH
TnsxsoY9KisHLSdiJRwCxctk2gT3JAg9Lz9bbAdQyolghpc3t+roKznwdq+Le04J
Z7yrmzp+GTZ8FyTqxrV4pi0sIa3lXnKvzasbBLal9sLtrxPyiH//q9Qfn4v/KzQI
CImw5nnIhGI8lPi2o8nyYLqmjKKdFGfNli6JDRq6sCT/QM+6XVgWMtdbuUllT7hX
Ku0ksEYHHZQ9z0VqearNukVaDwGV0KWVKWFHScyRMbQIplLiDAQprvsoIOz+SXsL
bhV5ZmspBCkIytGGMvn3L7Y/SXReoi5J4nSnNSH3OtpETu702JvG5Phw+cnu+PLH
x+7HEj8iQY+vH6SUgbyUObfHlsTUqNCS0VIvJMEPZ/+KX5G0P1bD8CEgJLirPQjQ
raZ7vEu4nG/CdEiAFp2BO0QP5qEikdeIErKF1m2WQX3SbsdETtrgJIIhKvBunmYY
RqmGyKlIXBnniMVwYQNTYGMQWU1ZC1B3Y6XB4wAYrKfE3HUAG1A=
=QdWK
-----END PGP SIGNATURE-----

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Roadmap for DNSSEC signing/automation?

Evan Hunt
On Tue, Mar 13, 2018 at 12:30:57PM -0400, Jim Popovitch via bind-users wrote:
> Is there a roadmap for DNSSEC signing capabilities?   I'm specifically
> wondering if any features are planned to fully automate signing, such
> as being able to specify simple zone options like "dnssec-cycle=90d;"
> and having bind9 fully manage this, perpetually.

There are no plans to have named generate keys by itself. However, you can
run the "dnssec-keymgr" tool in a cron job and it'll keep your keys up to
date according to a defined policy, generating new ones as needed, and then
named will use them.  In this way you can fully automate ZSK rollovers.

KSK rollovers are still trickier since they require interaction with
your parent zone. I hope to get support for CDS/CDNSKEY signaling into
dnssec-keymgr, but whether that ultimately will be useful or not depends
on whether domain registrars make use of it.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Roadmap for DNSSEC signing/automation?

Tony Finch
Evan Hunt <[hidden email]> wrote:
>
> KSK rollovers are still trickier since they require interaction with
> your parent zone. I hope to get support for CDS/CDNSKEY signaling into
> dnssec-keymgr, but whether that ultimately will be useful or not depends
> on whether domain registrars make use of it.

Even if your parent doesn't have RFC 7344 support, they probably have some
API you can use (or if you are really stuck you can script their website
with a headless browser). The interlocks and checking that dhssec-keymgr
needs for RFC 7344 will also be useful for supporting generic delegation
update API hooks.

This is one of my longstanging background projects (very slow incremental
progress) both as a parent (e.g. dnssec-cds) and as a child (why I learned
about headless browsers, ugh).

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Fair Isle: Variable 4 at first in east, otherwise southeast 5 to 7, perhaps
gale 8 later. Moderate or rough. Fair. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

AW: Roadmap for DNSSEC signing/automation?

Stelzner, Tore
Hello,
we use dnssec-keymgr for the key management and it is really helpful. My current feature request would be wildcards in the config file but maybe it is already there as I still have to check the updates brought by Bind 9.12.

For KSK updates and rollovers we use some scripts by a third company that work with the API of the domain reseller. At the moment it seems to be very specific for the API of this reseller and so nothing to share.

There is one test domain with a KSK rollover every 4 month so I have something that reminds me that there is still some work to do. My current goal is to add and delete keys with some scripts triggered by the dates in the key files.
Thank you, Tore

--
Tore Stelzner
Technische Universität Darmstadt, Kommunikationssysteme
Hochschulrechenzentrum, Hochschulstr. 1, 64289 Darmstadt
Tel. +49 6151 16-71037, Fax +49 6151 16-71188, http://www.hrz.tu-darmstadt.de 


-----Ursprüngliche Nachricht-----
Von: bind-users [mailto:[hidden email]] Im Auftrag von Tony Finch
Gesendet: Dienstag, 13. März 2018 22:46
An: Evan Hunt <[hidden email]>
Cc: [hidden email]
Betreff: Re: Roadmap for DNSSEC signing/automation?

Evan Hunt <[hidden email]> wrote:
>
> KSK rollovers are still trickier since they require interaction with
> your parent zone. I hope to get support for CDS/CDNSKEY signaling into
> dnssec-keymgr, but whether that ultimately will be useful or not depends
> on whether domain registrars make use of it.

Even if your parent doesn't have RFC 7344 support, they probably have some
API you can use (or if you are really stuck you can script their website
with a headless browser). The interlocks and checking that dhssec-keymgr
needs for RFC 7344 will also be useful for supporting generic delegation
update API hooks.

This is one of my longstanging background projects (very slow incremental
progress) both as a parent (e.g. dnssec-cds) and as a child (why I learned
about headless browsers, ugh).

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Fair Isle: Variable 4 at first in east, otherwise southeast 5 to 7, perhaps
gale 8 later. Moderate or rough. Fair. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AW: Roadmap for DNSSEC signing/automation?

Tony Finch
Stelzner, Tore <[hidden email]> wrote:
>
> For KSK updates and rollovers we use some scripts by a third company
> that work with the API of the domain reseller. At the moment it seems to
> be very specific for the API of this reseller and so nothing to share.

What I would like is a set of tools with a common user interface that can
talk to all sorts of parents with their various proprietary APIs -
registries, registrars, RIRs, ISPs, etc. The hope being that a common CLI
framework makes it easier / more useful to share these API clients (and
reduces the friction for changing suppliers).

I have about 10% of a thing that can talk to 2 of the 3 such suppliers I
currently care about (JANET and RIPE), plus two I used to care about
(Gandi and Nominet EPP). I'm not working on it until either dnssec-keymgr
can do KSK rollovers, or renaming my DNS servers gets to the top of my
priority list...

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Trafalgar: Southwesterly, veering westerly, 4 or 5 at first in southeast,
otherwise 6 to gale 8, increasing severe gale 9 at times in northwest.
Moderate at first in southeast, otherwise rough or very rough, occasionally
high later in northwest. Rain then showers. Good occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users