voja at voja.de
Fri Jun 24 11:06:51 UTC 2011
I'm currently working on a system that should automate all the stuff
around zone signing, including the update of the DNSKEY material. I see
this as a proove of concept. My needs are that everything works without
me doing something manual, because I have this for some DNSSEC zones
managed by Bind. KSK rollovers have to be performed manual and I want to
get rid of this.
When I suppose the passed DNSKEYs to be wrong, I could add an extra
check to be sure that the DNSKEYs of the zone served on the nameservers
match the one that should be send to the registry. When using a .DE
domain, the registry will perform exactly this check. I can even use the
Denic check as a web service to check if the DNSKEYs that OpenDNSSEC
passen to my script, are correct. So I think it might be a safe
The upload of the DNSKEY material is no problem. My registrar provides
an interface that uses DNSKEY as input, not depending on the TLD of the
domain that is used. My registrar does all the DS calculation, if
And I also think that this way should be safe, because you can plugin
an EPP client, that would perform the updates with the registry direct.
On Wed, 22 Jun 2011 12:48:48 +0200, Casper Gielen <c.gielen at uvt.nl>
> Op 22-06-11 12:33, Volker Janzen schreef:
>> okay, but when I want a complete automation of the roll-over process,
>> I'd need something around OpenDNSSEC that manages:
>> - send DNSKEY data that is supplied by OpenDNSSEC to registrar
> For my environment I've decided that I don't want this step to be
> automated. From a security point of view I think its a good idea to
> have a human manage the uploading of keys.
> Secondly, fixing a wrong/broken KSK seems rather involving and time
> consuming, I'd prefer to make sure this never happens.
> (Thirdly, as far as I know there is no standarized way for uploading
> keys. My parent expects the keys to be mailed).
More information about the Opendnssec-user