Hi Folks,
We've just about completed our initial deployment of signed zones, so I
thought it would be a good time to share a few notes for those who are
thinking of experimenting.
The short version: It's pretty easy. You should give it a whirl.
Our infrastructure is built around a BIND 9.9 stealth master which
receives text zonefiles from a provisioning system (so there are no
dynamic updates). We're using the inline signing options that came in
with 9.9.
There are a few configuration modifications on the master:
==
// Only sign apex DNSKEYs with the KSK (keeps the apex smaller)
dnssec-dnskey-kskonly yes;
// Sign many nodes in one signing quantum to reduce the number of
// zone transfers during signing of large zones
sig-signing-nodes 10000;
sig-signing-signatures 10000;
==
dnssec-dnskey-kskonly seems to split the community - Cambridge,
Leicester & Loughborough appear to have it set, Bath (SWURCC) & Imperial
do not. I haven't worked out a good reason for having the ZSK sign the
DNSKEY rrset, so I've gone for 'yes'. The additional signature probably
wouldn't make much difference though.
The signing nodes and signatures values are significantly increased
(from defaults of 100 & 10 respectively) to improve the speed of
signing operations (and thus reduce the number of serial
increments/notifies/transfers). As a benchmark, with the default values
an initial signing of lancs.ac.uk[1] took 13 minutes 53 seconds,
compared to 1 minute 53 seconds with the larger values. The downside is
that whilst busy signing, BIND takes an appreciable length of time (~2
seconds) to process other requests (eg zone transfers & 'rndc signing
-list lancs.ac.uk')
We also set a smaller maximum size for the journals ('max-journal-size'
- the default is 2GB per journal file!). Enabling inline signing will
create journals, even if you haven't enabled ixfr-from-differences.
The zone definition for a signed zone looks like this:
zone "lancs.ac.uk" {
type master;
file "/var/local/schlep_bind9/live/zones/lancs.ac.uk/zonefile";
inline-signing yes;
auto-dnssec maintain;
key-directory "/etc/bind/dnssec_keys/lancs.ac.uk";
};
As long as there are valid keys within the key-directory It Just Works[2].
We use the default signature timings (sig-validity-interval), so there
is always a grace period of at least a week before any signatures
expire. The useful bits of the master (configuration, zone data, keys
etc) are rsynced to a DR master (in London, but still routed via Janet)
with bind ready to go. If it gets desperate we can manually edit the
zonefile on the DR master to direct visitors to a 'Sorry - Lancashire
has disappeared' web page (as long as all the trained staff didn't also
disappear - maybe this should be automatic. What could possibly go wrong?).
I'd be happy to go into excruciating detail on particular items if
anyone's interested, but it's pretty painless (even so, you'll cross
your fingers whilst waiting for the first DS to go through!).
Graham
[1] lancs.ac.uk contains 99,811 RRs (don't ask!)
[2] Although if there's an existing journal file you might need to
remove it, and don't edit the zonefile whilst named is stopped - both
will give you a 'journal roll forward' error. If there are no valid
keys, the 'signed' zone freezes up and doesn't follow changes made to
the underlying zonefile.
--
Graham Clinch
Systems Programmer,
Lancaster University
|