Ewen McNeill wrote:
Hi Drew,
On 26/07/10 23:49, Drew Broadley wrote:
What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!)
BIND 9.7 has some useful additions to make zone signing easier/more automatic; see, eg, OSCON 2010 slides from an ISC speaker:
http://www.oscon.com/oscon2010/public/schedule/detail/14112
(the first half of the slides is intro-to-DNSSEC, the second half is a simple recipe for signing your zone using BIND 9.7).
The major limitation seems to be that in order for the turnkey setup to work the system with the original zone information also needs the private keys (both ZSK and KSK), which may or may not be the ideal security partitioning. (I suspect it's probably okay for many if you use a hidden master that's fairly well isolated.)
You can consider that as a major limitation of any signing system :) But in practice, you can use a hardware security module to protect the private part of the keys. What I personally think it's a limitation is the lack of functionality around key management: if by policy you need to have frequent roll-overs, you need to use a different set of tools to do that.
As others have pointed out, with some extra effort (mainly in specifying a bunch of extra flags that are now defaults in BIND 9.7, plus some extra cron jobs) one could do the same thing well back into the BIND 9.x versions.
Depending if you are in the authoritative side or the validating side it's the version you pick. For an authoritative nameserver serving a signed zone, BIND 9.6 it's good enough. If you are a validating resolver who wants to implement trust anchor rollovers, you need to use BIND 9.7. For the .nz zone we are planning to use OpenDNSSEC (www.opendnssec.org) as key management software and signing engine and BIND 9.6 for the authoritative nameservers cheers,
Ewen _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535