[dns-operations] summary of recent vulnerabilities in DNS security.

Rubens Kuhl rubensk at nic.br
Tue Oct 29 10:22:45 UTC 2013 

Em 29/10/2013, à(s) 05:45, Stephane Bortzmeyer <bortzmeyer at nic.fr> escreveu:

> On Tue, Oct 29, 2013 at 12:07:10AM -0200,
> Rubens Kuhl <rubensk at nic.br> wrote 
> a message of 30 lines which said:
> 
>> Would DNSSHIM or Atomia DNS fit your description of DNSSEC
>> management ? 
> 
> [Warning, quick glance only]
> 
> DNSSHIM claims to be able to "manage" DNSSEC keys but the
> documentation apparently does not say a word about how keys are
> created and deleted. It seems it has to be done manually and, in that
> case, there is indeed no key management.

Key creation:

19 NewKey

Generates a new key for a specified zone.

19.1 Request

<?xml version="1.0" encoding="utf-8"?>
<dnsshim version="1.0">
  <request>
    <newKey>
      <sessionId>$sessionId</sessionId>
      <zone>$zone</zone>
      <size>$keySize</size>
      <type>$keyType</type>
      <flags>$flags</flags>
      <status>$keyStatus</status>
      <algorithm>$algorithm</algorithm>
      <protocol>$protocol</protocol>
    </newKey>
  </request>
</dnsshim>

18

19.1.1 Parameters

$sessionId: Session identification.

$zone: Name of the zone.

$keySize: Size of the new key (suggestion is 1024).

$keyType: Zone Sign Key (ZSK) or Key Sign Key (KSK).

$flags: The flags field of the new key (Either 256 or 257).

$keyStatus: Status of the new key (Either SIGN, PUBLISH or NONE).

$algorithm: The key’s algorithm. Either 5 (RSA) or 3 (DSA). By now DNSSHIM only supports RSA keys.

$protocol: Dnskey protocol according RFC 3755. By now must be 3. $expirationPeriod: Validity of the zone’s signatures.

Key removal:


26 RemoveKey 26.1 Request

<?xml version="1.0" encoding="utf-8"?>
<dnsshim version="1.0">
  <request>
    <removeKey>
      <sessionId>$sessionId</sessionId>
      <zone>$zone</zone>
      <keyName>$key</keyName>
    </removeKey>
  </request>
</dnsshim>

26.1.1 Parameters

$sessionId: Session identification. $zone: Name of the zone. $keyName: The name of key.

33 SetExpirationPeriod

Sets the signatures’s validity period of zone.

32

33.1 Request

<?xml version="1.0" encoding="utf-8"?>
<dnsshim version="1.0">
  <request>
    <setExpirationPeriod>
      <sessionId>$sessionId</sessionId>
      <zone>$zone</zone>
      <expirationPeriod>$expiration</expirationPeriod>
    </setExpirationPeriod>
  </request>
</dnsshim>

33.1.1 Parameters

$sessionId: Session identification.
$zone: Name of the zone.
$expirationPeriod: Validity of the zone’s signatures.

 

 

 

> 
> Atomia DNS does not claim to do DNSSEC key management and, anyway, I
> find nothing about DNSSEC in its documentation (not the list of
> features, the documentation).
> 
> 

Although I’m more familiar with DNSSHIM, Atomia is said to being used by some registrars with very large number of DNSSEC-signed zones, so I would expect it to have such capabilities… a difference though is that while DNSSHIM is more BIND-oriented (it uses BIND-specific signaling to make publishing servers create new zones) Atomia is more PowerDNS-oriented. 

Rubens

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131029/087fbb69/attachment.html>

More information about the dns-operations mailing list