[dnssec-deployment] Automated Signing Tools
Lutz Donnerhacke
lutz at iks-jena.de
Wed Aug 15 10:28:04 EDT 2007
* Dan Mahoney, System Admin wrote:
> Interesting. This somehow goes prior to the way I have originally thought
> of doing things, which is to say -- always sign the non-signed zone, and
> only make mods to the un-signed zone. (Since changing anything in the
> zone is going to require changes in at least a couple NSEC records, their
> signatures, re-signing of the SOA record, etc.)
>
> Does it then stand to reason that I can directly edit (say, to add an A
> record) the signed zone and re-sign it, and that dnssec-signzone will pick
> up on the things like the un-nsec'd record, the unsigned A record, etc)
> and correct these, or should I just stick with signing the "source" zone
> in this case?
I do split the zone into four parts, which can be updated seperatly:
;
$ORIGIN lan.iks-jena.de.
$TTL 57600
;
$INCLUDE dnssec/zsk/Klan.iks-jena.de.+005+63095.key
$INCLUDE dnssec/ksk/Klan.iks-jena.de.+005+50901.key
$INCLUDE dnssec/sigs/lan.iks-jena.de
;
@ IN NS avalon.iks-jena.de.
...
The files in dnssec/sigs/ are updated in the following steps:
- dnssec-signzone outputs to a temporary file
- all records beside SOA, NSEC, DS and RRSIG are filtered away
- if the stripped file differs from the existing sigs-file:
+ the old SOA is replaced by a new one in the freshly generated file
+ the sigs-file is replaces by the new one
+ the process is restarted using the zone signing keys
BTW:
I have now more than 10000 signed domains in my dnssec statistics.
More information about the Dnssec-deployment
mailing list