[ale] .org Registrars and DNSSEC
Michael H. Warfield
mhw at WittsEnd.com
Mon Feb 14 16:07:33 EST 2011
On Mon, 2011-02-14 at 15:04 -0500, Robert wrote:
> >I was hoping to implement DNSSEC before completing a server migration I am
> >working on, but I haven't made as much progress as I hoped.
> What are you using to sign/maintain your zones?
There are some good tools for Fedora (and probably Ubuntu and RHEL6) in
dnssec-tools, if you want to do things, like key management and what
not, manually.
OTOH, a real good project to look at is OpenDNSsec.
http://www.opendnssec.org/
You can use that either as a signer on your master server OR you can use
it in a "bump on the wire" configuration where it acts as a slave to
your "master" and all of your "slaves" do zone transfers from it. It
then manages all the keys and it signs the zones when they are
transferred from the master. In effect, other than moving your master
(or retargeting your slaves) it's a drop in transparent signer.
Alternative to registering your zone through your registrar (until they
bloody well get their act together) would be to go with the ISC DLV
(Domain Lookaside Validation) service. Bind9 is configured to reference
their DLV out of the box and the keys and includes are in the distros:
dnssec-lookaside . trust-anchor dlv.isc.org.;
:
include "dlv.isc.org.named.conf";
More info here:
https://dlv.isc.org/
It's pretty quick to register and get set up. All my zones are signed
(using dnssec-tools). I'm still playing with OpenDNSsec an expect to
switch to it before too long just to automate stuff that I'm doing
manually now.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110214/49aa8d0e/attachment.bin
More information about the Ale
mailing list