2

I would like to know how files are handled in a auto-dnssec environment.

My current setup (non-DNSSEC) places the zones files in /var/named/data. These files are then read by the bind server.

If I enable auto signing, will the zones files change? Or will bind just keep the signed zones internally? If the former thing happens, Puppet might not be a good idea to deploy dns zones anymore.

Karel
  • 639
  • 9
  • 16
  • http://serverfault.com/questions/405528/basic-dnssec-configuration-under-bind-9-7 – NickW Feb 17 '14 at 16:49
  • @NickW That question doesn't really address what Karlo is asking - he's ***actually concerned about "all the details"*** (like what happens on the filesystem). – voretaq7 Feb 17 '14 at 16:52
  • @NickW Additionally, that question is about manually signing zones. In 9.8.something they added the ability for BIND to automatically sign zones, which is what this questions is asking about. – Chris S Feb 17 '14 at 16:56
  • So, what am I missing in this statement here `"auto-dnssec maintain tells bind to periodically search the folder, specified in key-directory, for new DNSSEC keys, add those keys to the zone and sign the zone. All automatically, without your interaction."` From the page I linked mind you – NickW Feb 17 '14 at 16:58
  • Anyhow, if he wants to use puppet to deploy zone files, he'll probably want inline-signing, and bind 9.9.x.. – NickW Feb 17 '14 at 17:09
  • @Karlo My apologies, my first answer was based on information from someone else, and was wrong. I've setup my own environment to test now and updated my Answer with corrected information. – Chris S Feb 18 '14 at 20:57

2 Answers2

3

EDIT: The previous version of this Answer was backwards-wrong.

If I enable auto-signing, will the zones files change?

Yes. BIND will update the file you specify in the configuration "dynamic" style. This means the whole file generally gets rewritten, losing any "$INCLUDE" directives, converting to "standard" formatting, etc.

With manually signing files, the original zone files do not change. You can not use Dynamic Updates with manually signed files, so there's a trade-off. Generally you either maintain the original zone file by hand and use manual signing, or you use nsupdate to maintain the original file and let BIND auto-sign the zone. Side note: last I looked BIND couldn't auto-gen ZSK keys, so you still have to manually rotate those (or script the process).

Chris S
  • 77,945
  • 11
  • 124
  • 216
1

You an do the latter (having BIND maintain the signed zones separate from the unsigned zones you edit, and also update them when you edit your files) using the inline-signing feature added in BIND9.9.

It is currently only documented at https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html

Joachim Breitner
  • 3,779
  • 3
  • 18
  • 21