Dnssec signed diferents zone with diferents keys

[Leandro Totino]

We are testing atomic dns and it looks like very good and there is the one in the market which can create zones, records by api,

I would like to create many keys (KSK e ZSK) by zones and signed them , soo I got a question about atomia dnssec, Can we sign dns zones with diferents keys (KSK and ZSK) in atomia?  Does Atomia just suport a key (ZSK e KSK) to sign all zone in the host?

Regards.

[Jimmy Bergman]

Hi

Yes, we have made the concious decision to make the set of keys global, not per zone, because we believe it greatly simplifies management and reduces operational risk related to DNSSEC.

Best regards,

Jimmy

--
You received this message because you are subscribed to the Google Groups "AtomiaDNS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to atomiadns+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Leandro Totino]

Hi Jimmy,

There are zones signed by dnssec and there are other which we are not. How AtomiaDNS can solve this problem because if you create a dnskey all zone will be signed. I got other question about if I can share all zone for all user through atomiaDNS webserver panel like if user A create a zone another user B can see as well and vice versa.

[Jimmy Bergman]

Hi

All zones are signed, but you can still enable/disable DNSSEC per zone by selectively publishing DS records to the parent only

for the ones which you want DNSSEC enabled on.

It is not possible to share a zone with the example webapp.

Best regards,

Jimmy

[Leandro Totino]

Hi Jimmy,

I would like to know if i can specify RRSIG records expirtion date when I create the key or you have another aproach for that and I just tested atomia dnssec and didn´t work. 

I created the keys as documentation but after that if I tried to dig someregister +dnssec I didn´t get any RRSIG lie example below:

dig teste.toto.com.br  @172.16.95.97 +dnssec

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> teste.toto.com.br @172.16.95.97 +dnssec

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32723

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 2800

;; QUESTION SECTION:

;teste.toto.com.br.             IN      A

;; ANSWER SECTION:

teste.toto.com.br.      3600    IN      A       2.2.2.2

[Jimmy Bergman]

Hi

You have to configure PowerDNS to use DNSSEC, although if you install the sync agent with our package, then

the atomiadns-powerdns-database package tries top set it up for you.

Our setup usess the PowerDNS live signing mode and a description about how the RRSIGs are constructed is available at

https://doc.powerdns.com/md/authoritative/dnssec/#signatures

Best regards,

Jimmy