[Opendnssec-user] Random question re Dynamic DNS

Petr Spacek pspacek at redhat.com
Fri Jan 15 08:28:36 UTC 2016

On 12.1.2016 22:32, Jakob Schlyter wrote:
> On 12 jan. 2016, at 22:09, Jake Zack <jake.zack at cira.ca> wrote:
>> Is there an official (or an unofficial, I guess) adapter available that’d handle incoming dynamic DNS updates and have OpenDNSSEC sign them?
> Not that I'm aware of. We did discuss something like that a couple of years ago, but ended up thinking it was too complex given different AuthN/AuthZ methods et al.
>> Or must I go dynamic to an intermediary box and do IXFR’s and thus a re-signing (with some signatures re-used)?
> Yes, you need a primary master to handle the updates. The signer will only resign what's needed of course.

An alternative is to use OpenDNSSEC for key maintenance use BIND 9.10 with
in-line signing as master which accepts the updates.

We did this in FreeIPA project and it works, but you need quite a lot of 'glue
logic' to create and update BIND key files (these are just references to keys
inside PKCS#11) modules.

The trick is generally in replacing ods-signerd with a custom implementation
which takes list of keys for particular zone and generates BIND key files
(using dnssec-keyfromlabel utility) instead of signing the zone.

If you are interested in this you can have a look at:
(Do not be scared, FreeIPA does some additional magic for key distributions
because FreeIPA DNS is multi-master :-)

OpenDNSSEC key exporter is available from:

Please note that this exports key metadata and wrapped key material into LDAP.
For single-master you do not need that at all, so you can rip of big chunks of
code: Generally you could ignore calls to
> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
> master2ldap_master_keys_sync(log, ldapkeydb, localhsm)
completely and just rewrite
> master2ldap_zone_keys_sync(log, ldapkeydb, localhsm)
to run dnssec-keyfromlabel.

I hope this helps to understand the possibilities.

Petr Spacek  @  Red Hat

More information about the Opendnssec-user mailing list