Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian ISP (http://www.linux-archive.org/debian-isp/)
-   -   DNSSEC management (http://www.linux-archive.org/debian-isp/520998-dnssec-management.html)

Marek Podmaka 05-02-2011 08:39 AM

DNSSEC management
 
Hello all,

What do you use for DNSSEC management of your/customer's domains? Is
there some existing tools/scripts ready or everyone has its own
self-made scripts?

--
bYE, Marki


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 04972748.20110502103939@marki-online.net">http://lists.debian.org/04972748.20110502103939@marki-online.net

Michelle Konzack 05-02-2011 04:57 PM

DNSSEC management
 
Hello Marek Podmaka,

Am 2011-05-02 10:39:39, hacktest Du folgendes herunter:
> Hello all,
>
> What do you use for DNSSEC management of your/customer's domains? Is
> there some existing tools/scripts ready or everyone has its own
> self-made scripts?

Selfmade scripts because other solutions worked not as expected and it
was to comlicate to integrate it in my Admin-Panel.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Thomas Goirand 05-03-2011 03:48 AM

DNSSEC management
 
On 05/03/2011 12:57 AM, Michelle Konzack wrote:
> Hello Marek Podmaka,
>
> Am 2011-05-02 10:39:39, hacktest Du folgendes herunter:
>> Hello all,
>>
>> What do you use for DNSSEC management of your/customer's domains? Is
>> there some existing tools/scripts ready or everyone has its own
>> self-made scripts?
>
> Selfmade scripts because other solutions worked not as expected and it
> was to comlicate to integrate it in my Admin-Panel.
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack

Can you shortly describe what's needed to have DNSSEC working? How does
it work? Just add a new field or something?

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DBF7B29.8040103@goirand.fr">http://lists.debian.org/4DBF7B29.8040103@goirand.fr

Matus UHLAR - fantomas 05-03-2011 12:27 PM

DNSSEC management
 
> >> What do you use for DNSSEC management of your/customer's domains? Is
> >> there some existing tools/scripts ready or everyone has its own
> >> self-made scripts?

> On 05/03/2011 12:57 AM, Michelle Konzack wrote:
> > Selfmade scripts because other solutions worked not as expected and it
> > was to comlicate to integrate it in my Admin-Panel.

On 03.05.11 11:48, Thomas Goirand wrote:
> Can you shortly describe what's needed to have DNSSEC working? How does
> it work? Just add a new field or something?

For providing DNSSEC, you need to sign the zones, periodically re-sign them,
and periodically push DS recors into parent zones.

For using DNSSEC, you need to provide one or more public keys to your
resolver (recursive nameserver) and maintain that list.

No, it's not easy. Try opendnssec, or google for dnssec and read all the
docs.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110503122728.GA28151@fantomas.sk">http://lists.debian.org/20110503122728.GA28151@fantomas.sk

Michelle Konzack 05-03-2011 12:56 PM

DNSSEC management
 
Hello Thomas Goirand,

Am 2011-05-03 11:48:57, hacktest Du folgendes herunter:
> Can you shortly describe what's needed to have DNSSEC working? How does
> it work? Just add a new field or something?

You can search google for "How to setup DNSSEC?" and you will find the
HOWTOs and more. Also you can install "bind9-doc" which describe how to
setup DNSSEC.

I was strictly following the Bv9ARM manual and then the files from
/usr/share/doc/bind9-doc/ and it just worked.

NOTE: Do NOT FORGET to update the serial number before signing
the zones because otherwise you will run into troubles..

> Thomas

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Henrique de Moraes Holschuh 05-03-2011 01:26 PM

DNSSEC management
 
On Mon, 02 May 2011, Marek Podmaka wrote:
> What do you use for DNSSEC management of your/customer's domains? Is
> there some existing tools/scripts ready or everyone has its own
> self-made scripts?

Well, you could roll out your own, of course, but there are good ones out
there already.

We're testing this one: http://registro.br/dnsshim/index-EN.html

DNSSHIM is software maitained by NIC.br, responsible for all of the .br TLD
operations. It works as a shadow master server, so it is extremely easy to
deploy on BIND-like DNSSEC infrastructures.

There are other such DNSSEC key lifetime management suites. I think RIPE
has published one as well (but I am not sure it is FLOSS). Google will find
them.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110503132606.GB13501@khazad-dum.debian.net">http://lists.debian.org/20110503132606.GB13501@khazad-dum.debian.net

Emanuele Balla 05-03-2011 01:27 PM

DNSSEC management
 
On 5/3/11 2:27 PM, Matus UHLAR - fantomas wrote:
> For using DNSSEC, you need to provide one or more public keys to your
> resolver (recursive nameserver) and maintain that list.

Or give it the initial root key and tell it to maintain it by itself ;-)

--
# Emanuele Balla # #
# System & Network Engineer # #
# Spin s.r.l. - AS6734 # Phone: +39 040 9869090 #
# Trieste # Email: balla@staff.spin.it #


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DC002AD.1010007@staff.spin.it">http://lists.debian.org/4DC002AD.1010007@staff.spin.it

Michelle Konzack 05-03-2011 02:56 PM

DNSSEC management
 
Hello Emanuele Balla,

Am 2011-05-03 15:27:09, hacktest Du folgendes herunter:
> On 5/3/11 2:27 PM, Matus UHLAR - fantomas wrote:
> > For using DNSSEC, you need to provide one or more public keys to your
> > resolver (recursive nameserver) and maintain that list.
>
> Or give it the initial root key and tell it to maintain it by itself ;-)

You mean using the "-i <interval>" option with dnssec-signzone?

I am puzzeling arround, how to use this option on an already signed
zone, because it sounds like the thing I need, to update the zones
automaticaly using a cronjob once a week...

Can you give me an example or a hint please?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Matus UHLAR - fantomas 05-03-2011 03:02 PM

DNSSEC management
 
> On 5/3/11 2:27 PM, Matus UHLAR - fantomas wrote:
> > For using DNSSEC, you need to provide one or more public keys to your
> > resolver (recursive nameserver) and maintain that list.

On 03.05.11 15:27, Emanuele Balla wrote:
> Or give it the initial root key and tell it to maintain it by itself ;-)

that is the one I mentioned. Another may be the key for DLV.
but yes, named can manage it by itself
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110503150203.GC30043@fantomas.sk">http://lists.debian.org/20110503150203.GC30043@fantomas.sk


All times are GMT. The time now is 12:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.