[Opendnssec-user] Random question re Dynamic DNS
Petr Spacek
pspacek at redhat.com
Fri Jan 15 08:28:36 UTC 2016
On 12.1.2016 22:32, Jakob Schlyter wrote:
> On 12 jan. 2016, at 22:09, Jake Zack <jake.zack at cira.ca> wrote:
>
>> Is there an official (or an unofficial, I guess) adapter available that’d handle incoming dynamic DNS updates and have OpenDNSSEC sign them?
>
> Not that I'm aware of. We did discuss something like that a couple of years ago, but ended up thinking it was too complex given different AuthN/AuthZ methods et al.
>
>> Or must I go dynamic to an intermediary box and do IXFR’s and thus a re-signing (with some signatures re-used)?
>
> Yes, you need a primary master to handle the updates. The signer will only resign what's needed of course.
An alternative is to use OpenDNSSEC for key maintenance use BIND 9.10 with
in-line signing as master which accepts the updates.
We did this in FreeIPA project and it works, but you need quite a lot of 'glue
logic' to create and update BIND key files (these are just references to keys
inside PKCS#11) modules.
The trick is generally in replacing ods-signerd with a custom implementation
which takes list of keys for particular zone and generates BIND key files
(using dnssec-keyfromlabel utility) instead of signing the zone.
If you are interested in this you can have a look at:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
(Do not be scared, FreeIPA does some additional magic for key distributions
because FreeIPA DNS is multi-master :-)
OpenDNSSEC key exporter is available from:
https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/dnssec/ipa-ods-exporter?id=58c42ddac0964a8cce7c1e1faa7516da53f028ad
Please note that this exports key metadata and wrapped key material into LDAP.
For single-master you do not need that at all, so you can rip of big chunks of
code: Generally you could ignore calls to
> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
> master2ldap_master_keys_sync(log, ldapkeydb, localhsm)
completely and just rewrite
> master2ldap_zone_keys_sync(log, ldapkeydb, localhsm)
to run dnssec-keyfromlabel.
I hope this helps to understand the possibilities.
--
Petr Spacek @ Red Hat
More information about the Opendnssec-user
mailing list