mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 06:55:30 +00:00
Code Issues Releases Wiki Activity

Add hints about secure delegation to DNSSEC chapter of the ARM

Browse Source 
Let's not duplicate texts from elsewhere, just point to different parts
of documentation.
This commit is contained in:
Petr Špaček
2022-06-09 09:04:24 +02:00
committed by Matthijs Mekking
parent 28a533322b
commit 29030fa5d7
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
doc/arm/dnssec.inc.rst
View File

@@ -77,6 +77,7 @@ These filenames contain:
safe location and protect them from unauthorized access. Anyone with safe location and protect them from unauthorized access. Anyone with
access to the private key can create fake but seemingly valid DNS data. access to the private key can create fake but seemingly valid DNS data.
.. _dnssec_kasp: .. _dnssec_kasp:
Fully Automated (Key and Signing Policy) Fully Automated (Key and Signing Policy)
@@ -428,6 +429,44 @@ to provide the parent zone administrators with the ``DNSKEYs`` (or their
corresponding ``DS`` records) that are the secure entry point to the zone. corresponding ``DS`` records) that are the secure entry point to the zone.
.. _secure_delegation:
Secure Delegation
~~~~~~~~~~~~~~~~~
Once a zone is signed on the authoritative servers, the last remaining step
is to establish chain of trust [#validation]_ between the parent zone
(``example.``) and the local zone (``dnssec.example.``).
Generally the procedure is:
- **Wait** for stale data to expire from caches. The amount of time required
is equal to the maximum TTL value used in the zone before signing. This
step ensures that unsigned data expire from caches and resolvers do not get
confused by missing signatures.
- Insert/update DS records in the parent zone (``dnssec.example. DS`` record).
There are multiple ways to update DS records in the parent zone. Refer to the
documentation for the parent zone to find out which options are applicable to
a given case zone. Generally the options are, from most- to least-recommended:
- Automatically update the DS record in the parent zone using
``CDS``/``CDNSKEY`` records automatically generated by BIND. This requires
support for :rfc:`7344` in either parent zone, registry, or registrar. In
that case, configure BIND to :ref:`monitor DS records in the parent
zone <cds_cdnskey>` and everything will happen automatically at the right
time.
- Query the zone for automatically generated ``CDS`` or ``CDNSKEY`` records using
:iscman:`dig`, and then insert these records into the parent zone using
the method specified by the parent zone (web form, e-mail, API, ...).
- Generate DS records manually using the :iscman:`dnssec-dsfromkey` utility on
`zone keys`_, and then insert them into the parent zone.
.. [#validation] For further details on how the chain of trust is used in practice, see
:ref:`dnssec_12_steps` in the :doc:`dnssec-guide`.
DNSSEC Validation DNSSEC Validation
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~