Two weeks ago I wrote about implementing DNSSEC with Bind9 or PowerDNS and asked for opinions, because Bind9 appeared to me to be too complex to set it up with regular key signing and such and PowerDNS seemed to me to be nice and easy, but some kind of black box where I don’t now what’s happening.
I think I’ve now found the best and most suitable way for me to deal with DNSSEC. Or in short words: Bind9 won!
It won because of its inline-signing config option that you can use in bind9.9, which happens to be in backports. Another tip I can give due to my findings on the web: if you plan to implement DNSSEC with Bind9, do NOT! search for “bind dnssec” on the web. This will only bring up old HowTos and manuals which leaves you with the burden of manually update your keys. Just add the magic word “inline-signing” to your search phrase and you’ll find proper results like the one from Michael McNally on a subpage of ISC.org: In-line Signing With NSEC3 in BIND 9.9+ — A Walk-through. It’s a fairly good starting point, but still left me with several manual steps to do to get a DNSSEC-signed zone.
I’m quite a lazy guy when it comes down to manual steps that needs to get executed repeatedly, as many others in IT as well, I think. So I wrote some sort of small wrapper script to do the necessary steps of creating the keys, adding the necessary config options to your named.conf.local, enabling nsec3params, add the DS records to your zone file and displaying the DNSKEY to you, so that you just need to upload it to your registrar.
One problem was still open: when doing auto-signing/inline-signing with bind9, you are left with your plain text zone file whereas your signed zone file will keep to increase the serial with each key rollover. When changing your plain text zone file by adding, changing or removing RRs of that domain, you’ll be left with the manual task of finding out was your actual serial is that is currently used, because it’s not your serial +1 from your plain text zone file anymore. This is of course an awkward part I wanted to get rid off. And therefor my script includes an option to edit zone files with your favorite editor, increase the serial automatically by determing the currently highest number, either on disk or in DNS and raising this serial by 1. Finally the zone is automatically reloaded by rndc.
That way I now have the same comfort as in PowerDNS with Bind9, but also know what’s going on, because it’s not a black box anymore. Me happy. 🙂
P.S.: I don’t know whether this script is of interest to other users, because it relies heavily on my own setting, e.g. paths and such. But if there’s interest, just ask…
P.P.S.: Well, I think it’s better when you can decide yourself if my script is of interest to you… please find it attached…
Nice tos ee you got it
Nice tos ee you got it working 🙂
Howveer, I think that serial dance your are doing is not necessary. The new serial you are giving in the zone file does not have to be higher than the currently “actually” used serial. You can do a +1 as usually, that’s working fine for me.
Well, when editing the zone
Well, when editing the zone file after enabling DNSSEC I noticed that several check tools complained about different SOA records or serials, including the webinterface of my registrar and the DENIC nameservers. That’s I took care of raising the serial in order to ensure it’s working anyway. 🙂