[Opendnssec-user] Question about DNSSEC
mje at posix.co.za
Sun Aug 31 20:12:56 UTC 2014
On Sun, 2014-08-31 at 17:54 +0000, Abdalmonem Tharwat Galila wrote:
> Hi ,
> I have many questions in my mind about DNSSEC , could you help me to
> find an answer ?
I'm sure the list can answer a few questions but I'd strongly suggest
going on a formal DNS/DNSSEC course. The OpenDNSSEC folk have a two (?)
day course in Stockholm. I've attended this and its a good practical
course on OpenDNSSEC. Its free as well - as I remember??
I've also mentioned what you could get in South Africa on the Advanced
DSN course. (http://dnstraining.coza.net.za)
There are other courses run in Europe and the US.
DNSSEC can bite you - even if you are a rocket scientist. From the
questions you are asking - please consider training. I can see that you
have a 2048 bit type-8 KSK - Thats good (and the default). The ZSK is a
1024 bit type-8 key. Some may argue it should be longer... but its the
default and not bad. Are you running NSEC or NSEC3? Are you using
Opt-Out if you are running NSEC3?
> 1) Which details required to be sent to parent ?
The DS records - which are hashes of the KSK record.
> 1-1) How can i get this data from OpenDNSSEC ?
ods-ksmutil key export --zone xn--wgbh1c --ds
to make a key "ds-seen"... (ONLY once propagated)
ods-ksmutil key ds-seen --zone xn--wgbh1c --keytag 60047
> 1-2) every time opendnssec resigns the zone , this data should
> be sent to parent !!!
No, only on a KSK rollover.
> 2) How can i manage rollover process ?
Its parameters you should have set in /etc/opendnssec/kasp.xml
...is a KSK key rollover once a year. There is so much more to it than
Essentially, when you get a new key, send its DS records to your parent
(IANA), wait for propagation - perhaps a week or two, then remove the
old DS records from the Parent.
> 3) How can i backup keys and slots ?
> 4) How to backup DB ?
> 5) How to upgrade OpenDNSSEC ? are there any notes about that ?
> 6) How can i clone the current system to another one without any
> failure ? are there any notes about that ?
> 7) are there any yum repo to install opendnssec ?
> If there any tutorials that has my questions answer , i appreciate
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5810 bytes
Desc: not available
More information about the Opendnssec-user