[Opendnssec-user] signing dns views

Rick van Rein rick at openfortress.nl
Wed Oct 26 14:48:20 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Scott,

>  If I have a different view for external (from the Internet) queries, than for internal queries (from my own network), does anyone know if it is possible to sign different views with ods? 

Principally, this could be done.  The only link from the parent
zone to the two versions of child zone are the DS records that
point to the DNSKEYs.  You will want to use the same DNSKEYs in
both views, at least the KSKs (marked with 257 flags) should match.

The practical way with OpenDNSSEC is probably to setup one policy
into which both zones are important, and to set <SharedKeys/> for
that policy.  That way, the keys are properly shared.

The problem that I expect you will run into, is that you would
have two zones with the same name in one OpenDNSSEC instance.  And
it'd have to be one instance, if you want to continue sharing the
KSKs.  No idea if this could be considered a "feature" to add, it's
a bit of a stretch...


So, here's another scenario.  You would create two separate
instances of OpenDNSSEC, each signing a version of the zone.
They also create their own KSKs and roll them independently.
Then, using the possibility to enter multiple DS's into the
parent zone, you would simply add one for each in your parent.

Be sure to use the exact same set of algorithms (probably just
RSA-SHA1 and/or RSA-SHA256) on both zones, or else you will
see failures -- for each algorithm there must be a valid trace
from parent to child; even if you (i.c. BIND) don't check it,
someone else (i.c. Unbound) will.

The ugly bit of this is that everyone would see your internal
zone's DS, assuming that you didn't split the parent as well :)


So, here's a third scenario.  You could just setup an internal
zone (and wonder if it needs signing, when you can trust your
LAN) and specify in your resolvers (who probably are behind the
same perimeter) the secure entry point of your choice for the
internal view of the zone.


Pfew, this is complicated -- and fun :)

I hope I made some sense to you with these suggestions.


Cheers,
Rick van Rein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html

iD8DBQFOqB2zFBGpwol1RgYRAg9zAJ92VgBMK9UvMRHSSLKGBdChYD47/wCfZ9Kv
s29fv5fhXTpZ9th3c3qmD2o=
=VDU3
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list