[Opendnssec-user] ods-dsseen: automatic activation of DNSKEYS

C. Gielen C.Gielen at uvt.nl
Thu Feb 21 22:47:09 UTC 2013


On Thu, 21 Feb 2013 18:02:02 +0000, Rick van Rein <rick at openfortress.nl>
wrote:
> Hi Casper,
> 
> Cool :)
> 
>> I've written a little script that checks if a DS is available from DNS
>> and, if so, automatically issues the ds-seen command. It's a
replacement
>> for manually checking the DS and calling "ods-ksmutil key ds-seen
....".
> 
> We're rolling out a similar thing at SURFnet, which could be an
alternative
> to this script, at least for some users.  Our thing automates all stages
> from
> DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up).
> 
> I'll write a posting about that on our blog https://dnssec.surfnet.nl/
> in a while.  After my head stops spinning from flue :-S

Sounds good. I've to some more scripts to automate other parts of the
procedure, but I'm not entirely happy with them and they are somewhat
specific to our environment, so I'm interested in what you have cooked up.

>> Warning 1: This may be a stupid idea. It could be argued that human
>> validation of this step is a good thing. Do not use this script if you
do
>> not completely understand what it does.
> 
> The real harm would have been done then I think?  If you want to check
> manually, it ought to be done when rolling your DNSKEY and/or DS uphill
> (to the parent).  When it starts rolling down on the other side of the
> hilltop it's probably too late to stop?
> 


Yes, uploading the new key is the most important step, and I'm convinced
there is no harm in automating this step (otherwise I wouldn't have done
it).
>From a security perspective there is no problem at all.
However if mistakes are made things can get messy and there is only a very
basic validation in the script. However, the immediate reason for writing
this script is that the humans were also making mistakes.

>> Warning 2: This script has not been properly tested. Do not use it in a
>> production environment.
> 
> Ah, you're looking for $\alpha$ testers ;-)
> 
>> I'm looking for opinions on if this is a useful solution or accident
>> waiting to happen.

I do use it in my production environment and I think we are better off
with it
than without, but I don't want to create to much of an expectation. The
validation done by this script is rather simple and there are a few cases
were it will fail (for example, it only checks one DNS-server, secondly,
it
only looks at the keytag, which is not guaranteed to be unique).

> Did you like the interface of OpenDNSSEC?  I didn't like that it refused
> to silently ignore repeated ds-seen due to a script that somehow missed
> a previous ds-seen.

It is indeed a bit verbose at times. The warnings about duplicate ds-seens
have been a cause of concern at one time. My personal pet annoyance is
that
every call to ods-keytool starts with output from MySQL. However filtering
it out is easy.
Slightly more annoying is that many operations, like exporting a key are
rather slow, often taking up to a second. When running a script like this
over hundreds of zones it becomes a bit painful.

-- 
Casper Gielen 




More information about the Opendnssec-user mailing list