[Opendnssec-user] Instalation notes for OpenDNSSEC 1.0a3 on Ubuntu server 8.04.3

Sebastian Castro sebastian at nzrs.net.nz
Thu Sep 10 22:17:15 UTC 2009 

Antoin Verschuren wrote:
> Hi All,
> 
> I thought some of you might be interested in my installation notes getting OpenDNSSEC running.
> As a typical non-experienced-developer and non-experienced-sysadmin, I managed to get things running.
> I've made some additions compared to the current user guide that may be difficult to guess for dummies like me.
> Please find the notes attached, I'll discuss with the team if/how we could get these in the user manual.
> 
> I have some remarks/questions though:
> 
> This was the first time I used OpenDNSSEC to actually sign anything with NSEC3.
> Compared to Bind's dnssec-signzone I previously used to sign with NSEC, I see some differences.
> Please forgive my ignorant questions:
> 
> -I don't see any commenting of the key-id's in the resulting signed zone for the DNSKEY records.
> Though not needed for things to work, I think this is handy for bug tracing. 
> Is this an option, or not considered to be implemented at all ?

Actually it is implemented.

The process followed by OpenDNSSEC is more or less the following (this
is from my experience playing with it).

Sort the zone -> generate NSEC(3) records -> Sign the zone -> Generate
the final version

The "sign the zone" process actually adds as a comment the Key Id for
the DNSKEY records, but later the "finalizer" (that takes the signed
zone and put the SOA record as first record) deletes those comments.

For example, from my testbed I get:

co.nz.  3600    IN      DNSKEY  256 3 7
AwEAAZyFVcu0YB5+IwHRC29WJIi3vcf5O729hLnu/7ttdJl6wXD63srb2iahOYWcLtaW/kbglQCwitaMRE8WxQ5QypEPdrNxP3T0fCqudJ5v+g1ZpGfUN7c9mIB8TJIQw9Ns1NW7rzPakdHmBTWEupCrbtMRobPNVp6nRj+6xUnIzINt
;{id = 23784 (zsk), size = 1024b}
co.nz.  3600    IN      DNSKEY  256 3 7
AwEAAcX6lhJ3v9kTY/8+TdfSkmb4XIfW1I1uRBKTk6tLKBQTyAcRE5rq4HqRsREr9J+qUYU9tUWcaESFeAbrIqrS7PeQVxhYosNdJ3bR0zB73UKM5+yApJdKqaXGRhO7njmPZdi3IqVGVc/2HUS78p285oWTtkK16SNSFzyX8e/flw1V
;{id = 13322 (zsk), size = 1024b}

On my /var/opendnssec/tmp/co.nz.signed

But the version for be loaded in the nameservers doesn't contain the
comments:

co.nz.  3600    IN      DNSKEY  256 3 7
AwEAAZyFVcu0YB5+IwHRC29WJIi3vcf5O729hLnu/7ttdJl6wXD63srb2iahOYWcLtaW/kbglQCwitaMRE8WxQ5QypEPdrNxP3T0fCqudJ5v+g1ZpGfUN7c9mIB8TJIQw9Ns1NW7rzPakdHmBTWEupCrbtMRobPNVp6nRj+6xUnIzINt

co.nz.  3600    IN      DNSKEY  256 3 7
AwEAAcX6lhJ3v9kTY/8+TdfSkmb4XIfW1I1uRBKTk6tLKBQTyAcRE5rq4HqRsREr9J+qUYU9tUWcaESFeAbrIqrS7PeQVxhYosNdJ3bR0zB73UKM5+yApJdKqaXGRhO7njmPZdi3IqVGVc/2HUS78p285oWTtkK16SNSFzyX8e/flw1V

(this is from the version available on /var/opendnssec/signed, the
directory where the signed zones are copied).


> 
> -dnssec-signzone signs the DNSKEY RR-set with both KSK as ZSK.
> I see in my result from OpenDNSSEC over the DNSKEY RR-set only one RRSIG, assuming that this is the signature from the KSK since the key-id is different from all the other RRSIG's.
> Is this difference in behavior documented anywhere ?
> 

Kind Regards
Sebastian Castro

> 
> Antoin Verschuren
> 
> Technical Policy Advisor SIDN
> Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
> 
> P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
> mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl  http://www.sidn.nl/
> 
> 
> 

------------------------------------------------------------------------

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list