[dns-operations] non signing Bind & DNSSEC: a note of caution
Wes Hardaker
wjhns1 at hardakers.net
Mon Feb 7 18:28:05 UTC 2011
>>>>> On Mon, 07 Feb 2011 05:22:42 -0600, Michael Graff <mgraff at isc.org> said:
MG> I also feel a global "don't be smart about anything I give you" switch
MG> needs to go in, where named will serve whatever it is told, no matter
MG> how insane it may be with respect to DNSSEC data.
I'd look at it more generically than that. Either:
The easy ones:
1) You were handed a zone file without dnssec data in it and were asked
to sign and maintain it
-> sign and maintain
2) You were handed a zone file without dnssec data in it and were
specifically asked not to maintain it.
-> serve as is
3) You were handed a zone file with dnssec data in it (and the private
keys) and were told to take over dnssec maintenance and maintain
it.
-> sign and maintain
4) You were handed a zone file with dnssec data in it and were
specifically told not to touch it
-> serve as is
The harder and also very common:
5) You were handed a zone file without dnssec data in it and weren't
given any instructions.
-> ??? (could default to either signing or serving as is)
6) You were given a zone with dnssec data already in it and weren't
given any instructions (with our without private keys).
-> serve as is.
I think that doing anything else in #6 is asking for trouble. You
really don't have a clue what the operator was thinking when they gave
you the data. Without an option (global or not) that says "I expect you
to do everything for me always", you can't make assumptions about
whether or not it's safe to modify *anything* in that file.
Now... printing a warning message would be a very good thing
(encouraging them to select either #3 or #4 above).
I realize the goal here (and it's a good one) is to sign more stuff and
make it easy to do so. But you still have to consider when it's safe to
take the input you've been given and modify it.
--
Wes Hardaker
Cobham Analytic Solutions
More information about the dns-operations
mailing list