Jasper Wallace
2018-Feb-15 01:02 UTC
[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
Hi, When NSD serves a signed zone will it also re-sign it and rotate ZSK's as needed? Or do you have to use e.g. OpenDNSSEC to handle it? -- [http://pointless.net/] [0x416333590FC0E569]
Paul Wouters
2018-Feb-15 05:07 UTC
[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
> On Feb 14, 2018, at 20:02, Jasper Wallace <jasper at pointless.net> wrote: > > > Hi, > > When NSD serves a signed zone will it also re-sign it and rotate ZSK's as > needed? Or do you have to use e.g. OpenDNSSEC to handle it?You need opendnssec or another tool that handles key management and signing. nsd just serves the dns data Paul
Michael A. Peters
2018-Feb-15 12:53 UTC
[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
On 02/14/2018 05:02 PM, Jasper Wallace wrote:> > Hi, > > When NSD serves a signed zone will it also re-sign it and rotate ZSK's as > needed? Or do you have to use e.g. OpenDNSSEC to handle it? >NSD only serves the zone file. The entries in the zone file have to be signed and uploaded to your authoritative name server. Also, even though it is commonly done, you should NOT have your ksk / zsk private keys on your authoritative nameserver. You should have a signing machine that only has an ssh port open that signs your zone files before sending them to NSD to be served. If your signing keys are stolen then DNSSEC does not offer much protection, so they should be heavily guarded.