Replies: 5 comments 6 replies
-
|
I don't know of any such work. DNSSEC signing and related periodic maintenance (e.g. key rollovers) is quite complicated, and I'm not sure what the benefit of a batch-oriented offline signing facility would be in dnspython. Anyone trying to use it for anything other than casual testing would find it unwieldy and dangerous. The alternative is to have a deeply DNSSEC aware zone with online keys and a management process, but this is far more complicated still. So basically I'm not really keen on the idea, but I'm still open to hearing more about your use case(s). |
Beta Was this translation helpful? Give feedback.
-
|
But I'm probably too grumpy about DNSSEC. Please say more, I ought not to discourage a signer. |
Beta Was this translation helpful? Give feedback.
-
|
I'm just looking at test tools at this time and the missing part for signing my zone is currently an NSEC generator. I'm thinking a helper in I don't need a full zone signer, but I need to be able to create a signed zone as part of a test suite. For my current use case (the root zone), NSEC is enough. |
Beta Was this translation helpful? Give feedback.
-
|
Might be a handy thing to use the transactional API for doing the actual alteration of the zone, as that way you could roll back on error. |
Beta Was this translation helpful? Give feedback.
-
|
I'm not very familiar with the transactional API, but I'm happy to learn. First cut at NSEC support in https://github.com/jschlyter/dnspython/tree/nsecify |
Beta Was this translation helpful? Give feedback.
-
|
I might have fixed this issue now. The most inefficient part is finding what names are not to be included in the NSEC chain - it is currently really slow. |
Beta Was this translation helpful? Give feedback.
-
|
If you sort all the names into DNSSEC order first and then iterate them, skipping names that are beneath zone cuts, you can do it in one pass, though bits of the logic may be more complicated than the very readable code you have now. I'm not requesting the change, just pointing out the option since you mentioned inefficiency. The skipping check is more efficient as if you see an NS at a name, then you just consume names until you see a name that is not a subdomain of the NS owner name (or exhaust the list). |
Beta Was this translation helpful? Give feedback.
-
|
This was a very good idea, I've implemented it now. |
Beta Was this translation helpful? Give feedback.
-
|
PR submitted as #905 |
Beta Was this translation helpful? Give feedback.
-
|
@bwelling @rthalley Please check https://github.com/jschlyter/dnspython/tree/rdataset_signer for an idea for signing while adding NSECs: |
Beta Was this translation helpful? Give feedback.
-
|
Moving discussion to #909 |
Beta Was this translation helpful? Give feedback.
-
Are there any existing work on generating NSEC/NSEC3 chains for a zone? This is one step towards a complete zones signer.
I'm thinking a function that will add (or perhaps update) NSEC/NSEC3 records on a given Zone, with the option to add RRSIG to each type map (since the next step in the pipeline will be signing).
Beta Was this translation helpful? Give feedback.
All reactions