DNSSec turned on by default in bind9 package
This session is about turning DNSSec support on out-of-the-box in the bind9 package. One of the issues in doing this is setting up the initial key, which could get changed during the life of the LTS release. How do we deal with key rotation in new installs?
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- Low
- Drafter:
- Marc Deslauriers
- Direction:
- Needs approval
- Assignee:
- LaMont Jones
- Definition:
- Approved
- Series goal:
- Accepted for precise
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Whiteboard
Work items:
[lamont] turn on by default with blurb and ship bind.keys (0.5): DONE
[lamont] add note to README.Debian how to get the key, verify it and put it in place (0.5): DONE
[mdeslaur] add cronjob to poll for when the key singing key changes (0.5): POSTPONED
[mdeslaur] make sure QRT script tests the default dnssec option (0.5): POSTPONED
Installing and enabling DNSSEC using the package-
- need to verify at install time that DNSSEC is working, or offer to disable it at install time.
- missing a key roll because the release was on the other side of the key roll from the install.
- machines isolated from the Internet
Bind ships with keys compiled-in, and also in the bind.keys file. An updated bind.keys file is available with a gpg signature from isc.org (http://
"dnssec-validation auto" in named.conf will read the root key from bind.keys the first time it executes.
From the etherpad:
This session is about turning DNSSec support on out-of-the-box in the bind9 package. One of the issues in doing this is setting up the initial key, which could get changed during the life of the LTS release. How do we deal with key rotation in new installs?
Installing and enabling DNSSEC using the package-
- need to verify at install time that DNSSEC is working, or offer to disable it at install time.
- missing a key roll because the release was on the other side of the key roll from the install.
- machines isolated from the Internet
Bind ships with keys compiled-in, and also in the bind.keys file. An updated bind.keys file is available with a gpg signature from isc.org (http://
"dnssec-validation auto" in named.conf will read the root key from bind.keys the first time it executes.
https:/
Why?
- shiny
- chock full of goodness
Issues
- key signing key for toplevel domain can be shipped, but what about key rotation. If server running, no problem. If person installs from package after key rotated, bind fails
- 9.8 in source code and bind.keys. looks first in bind.keys and then falls back
- how about turn on by default but then check in postinst if it is working. warn if not
- reads bind.keys or hardcoded, then creates a database
- checking for whether or not it works is problematic
- construed as phone home
- if in init script-- potentially a lot of traffic
- postinst?
- requires network connectivity
- when is bind.keys referenced?
Seems key doesn't change (we are only shipping the key singing key), so turning this on by default isn't a problem for users installing. If the key is revoked, an update can be pushed through -security
dnssec-trigger? for people on the go. integrated into network-manager, uses unbound, and resistant to hostile networks. nsd is unbound authoritative server
