[Opendnssec-user] Question about DNSSEC

Mark Elkins mje at posix.co.za
Sun Aug 31 20:12:56 UTC 2014

On Sun, 2014-08-31 at 17:54 +0000, Abdalmonem Tharwat Galila wrote:
> Hi , 
> I have many questions in my mind about DNSSEC , could you help me to
> find an answer ?

I'm sure the list can answer a few questions but I'd strongly suggest
going on a formal DNS/DNSSEC course. The OpenDNSSEC folk have a two (?)
day course in Stockholm. I've attended this and its a good practical
course on OpenDNSSEC. Its free as well - as I remember??
I've also mentioned what you could get in South Africa on the Advanced
DSN course. (http://dnstraining.coza.net.za)
There are other courses run in Europe and the US.

DNSSEC can bite you - even if you are a rocket scientist. From the
questions you are asking - please consider training. I can see that you
have a 2048 bit type-8 KSK - Thats good (and the default). The ZSK is a
1024 bit type-8 key. Some may argue it should be longer... but its the
default and not bad. Are you  running NSEC or NSEC3? Are you using
Opt-Out if you are running NSEC3?

> 1) Which details required to be sent to parent ? 
The DS records - which are hashes of the KSK record.

>       1-1)   How can i get this data from OpenDNSSEC ?

ods-ksmutil key export --zone xn--wgbh1c --ds

to make a key "ds-seen"... (ONLY once propagated)
ods-ksmutil key ds-seen --zone xn--wgbh1c --keytag 60047

>       1-2)   every time opendnssec resigns the zone , this data should
> be sent to parent !!!
No, only on a KSK rollover.

> 2) How can i manage rollover process ? 
Its parameters you should have set in /etc/opendnssec/kasp.xml

       <Algorithm length="2048">8</Algorithm>

...is a KSK key rollover once a year. There is so much more to it than
that though.
Essentially, when you get a new key, send its DS records to your parent
(IANA), wait for propagation - perhaps a week or two, then remove the
old DS records from the Parent.

> 3) How can i backup keys and slots ?
> 4) How to backup DB ?
> 5) How to upgrade OpenDNSSEC ? are there any notes about that ?
> 6) How can i clone the current system to another one without any
> failure ? are there any notes about that ?
> 7) are there any yum repo to install opendnssec ?
> If there any tutorials that has  my questions answer , i appreciate
> that.
> Thnx
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140831/ec3ad741/attachment.bin>

More information about the Opendnssec-user mailing list