[Opendnssec-user] DNSSEC opendnssec vs bind inline signing

[Johan A Bergstrom]

Hello.

So I am looking to redesign our DNS infrastructure and I am in discussions with some other architects about the DNSSEC support implementation.

We have been running OpenDNSSEC since 1.4.0 and we are quite happy with it, have been able to automate a lot of zone/DNSSEC management in this solution, but now we need to refresh the whole infrastructure and my colleagues are looking into Bind as a standalone solution now that is has support for inline signing and KASP and more.

The pro's I see is in OpenDNSSEC are that the keys are managed with better/higher security in mind, SoftHSM (or HW HSM module), in bind it's still just keeping private keypairs in the filesystem although can be in an alternate location from the zonefiles.

The con's I see in OpenDNSSEC are that the setup is much more complex, and troubleshooting it requires deeper infrastructural knowledge.

My colleagues are arguing that Bind will eventually make OpenDNSSEC obsolete, which might happen, but the timeframe I see for this is quite long, maybe in 4-5 years as they have just recently implemented KASP, still missing the HSM management for private keys, which is the most important part security wise in my perspective.

In an overview, I am looking to implement the DNSSEC management/signing/security part inhouse, and put nameserver slaves in containers/vms around available clouds.

More pro's/con's regarding either solution, what do you guys think?

Hälsningar / Best regards, 

Johan Bergström, Lead Technical Architect / Linux
TietoEVRY, ZSH Hybrid Infra