[Opendnssec-user] DNSSEC opendnssec vs bind inline signing

Henrik Dahlberg hd at dnsmonitor.com
Mon Sep 7 14:53:42 UTC 2020


Hi Johan,

I had a go six months ago with an attempt to use BIND and its
online signing. I even tried to build it with SoftHSM but never got it to
work properly.
I ended up sticking with ODS for the foreseeable future. IMHO ODS is quite
solid and the BIND solution doesn't seem quite ready exactly as you see it.

Regards,

/Henke





*Henrik Dahlberg*
Founder/CEO
+46 70 938 3069

*https://dnsmonitor.com <http://www.dnsmonitor.com>*


On Mon, Sep 7, 2020 at 10:17 AM Johan A Bergstrom via Opendnssec-user <
opendnssec-user at lists.opendnssec.org> wrote:

> Hello.
>
> So I am looking to redesign our DNS infrastructure and I am in discussions
> with some other architects about the DNSSEC support implementation.
>
> We have been running OpenDNSSEC since 1.4.0 and we are quite happy with
> it, have been able to automate a lot of zone/DNSSEC management in this
> solution, but now we need to refresh the whole infrastructure and my
> colleagues are looking into Bind as a standalone solution now that is has
> support for inline signing and KASP and more.
>
> The pro's I see is in OpenDNSSEC are that the keys are managed with
> better/higher security in mind, SoftHSM (or HW HSM module), in bind it's
> still just keeping private keypairs in the filesystem although can be in an
> alternate location from the zonefiles.
>
> The con's I see in OpenDNSSEC are that the setup is much more complex, and
> troubleshooting it requires deeper infrastructural knowledge.
>
> My colleagues are arguing that Bind will eventually make OpenDNSSEC
> obsolete, which might happen, but the timeframe I see for this is quite
> long, maybe in 4-5 years as they have just recently implemented KASP, still
> missing the HSM management for private keys, which is the most important
> part security wise in my perspective.
>
> In an overview, I am looking to implement the DNSSEC
> management/signing/security part inhouse, and put nameserver slaves in
> containers/vms around available clouds.
>
> More pro's/con's regarding either solution, what do you guys think?
>
> Hälsningar / Best regards,
>
> Johan Bergström, Lead Technical Architect / Linux
> TietoEVRY, ZSH Hybrid Infra
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20200907/93b4f75a/attachment.htm>


More information about the Opendnssec-user mailing list