DNS Managment Interface that supports DNSSEC ... ?
Marc G. Fournier
Anyone know of, or is using, such a beast? Basically, right now I'm doing
it all manually for my clients, would like to provicde them with a
self-service portal for doing it instead ...
Would like to find something that I could 'assign n domains' to a client
that they could manage, that sort of thing ...
Preferably something iwth an RDBMS backend (PostgreSQL if possible) ...
Am comfortable / familiar with BIND, so would prefer to stick with it, but
if a great tool requires switching to something else, so be it ... but
DNSSEC support is a requirement ...
Thanks ...
----
Marc G. Fournier Hub.Org Hosting Solutions S.A.
scr...@hub.org http://www.hub.org
Yahoo:yscrappy Skype: hub.org ICQ:7615664 MSN:scr...@hub.org
_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp...@freebsd.org"
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de
Matthew Seaman
Hash: SHA1
On 09/06/2010 17:39:17, Marc G. Fournier wrote:
>
> Anyone know of, or is using, such a beast? Basically, right now I'm
> doing it all manually for my clients, would like to provicde them with a
> self-service portal for doing it instead ...
>
> Would like to find something that I could 'assign n domains' to a client
> that they could manage, that sort of thing ...
>
> Preferably something iwth an RDBMS backend (PostgreSQL if possible) ...
>
> Am comfortable / familiar with BIND, so would prefer to stick with it,
> but if a great tool requires switching to something else, so be it ...
> but DNSSEC support is a requirement ...
Managing zone-signing is an interesting problem. The only bit the
customer really needs any input on is to check a box saying "sign my
zone". All the rest is actually best managed automatically.
There are two basic approaches:
i) Create the zone data using whatever means you prefer. Then sign
the plaintext zones whenever there is an update to the zone data,
whenever you need to roll the ZSK (which is typically monthly if you
follow the usual RFC4641 guidelines), plus anually or biannually when
you roll the KSK (which is a much more involved operation, since it
involves cooperation with your registrar etc. etc.)
This is the approach used by open-dnssec (http://www.opendnssec.org/) or
DNSSEC Zone Key Tool (http://www.hznet.de/dns/zkt/)
open-dnssec is being developed by a consortium including Nominet, NLnet
LAbs and others: it's an industrial scale solution for people that serve
large numbers of secure zones. They prefer a Hardware Security Module
as a means to hold the private keys securely, although they do provide a
confusingly named SoftHSM application.
ZKT is a much smaller scale solution, using the Unix filesystem as the
keystore.
ii) Use the new built-in logic in BIND 9.7 which will maintain a
signed, dynamic zone pretty much automatically. ie. convert all your
zones to dynamic zones, and use dnsupdate exclusively to populate zones.
See:
http://www.isc.org/software/bind/new-features/9.7
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: mat...@infracaninophile.co.uk Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwPzbYACgkQ8Mjk52CukIzptQCggQQVirFhHPbYJQrL8XOLiAT8
xagAnjEEcTMDQ/hxqb/Vh/O0JmrBmUSL
=Qypx
-----END PGP SIGNATURE-----