[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)

[Leen Besselink]

On Fri, Jun 27, 2014 at 01:26:07AM +0200, Michael Ströder wrote:
> ktm at rice.edu wrote:
> > On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
> >> For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ?
> >>
> >> If not, the solution is to run "pdnssec secure-zone ZONE" in a loop on a cron script, am I right?
> > 
> > I do not know about a SQL only solution for MySQL DNSSEC signing, but I
> > know that there is a sample schema for Oracle that includes the needed
> > triggers and functions and that I have a basically complete version of
> > the same for PostgreSQL that I will be submitting to the PDNS folks once
> > we have it vetted for production.
> 
> Hmm, am I the only one who is concerned about the security of the signing process?
> 
> Please don't get me wrong. But people are advocating DANE nowadays and aim to
> completely replace X.509 certs with that. So security of the signed RRs is
> crucial just like issuing X.509 certs. And yes, I know that it's hard to
> achieve a higher level of operational security.
> 
> Ciao, Michael.
> 

Hi Michael,

DNSSEC allows a domain owner to be as secure or insecure as they want to be.

You can do online or offline signing.

Or do part of the signing online and part of it offline, because DNSSEC allows the use of a Zone Signing Key and a Key Signing Key for your domain.

Or you can choose to not use DNSSEC at all.

Online signing is similar to most VPN- and SSL/TLS-deployments, like HTTPS/POP3S/IMAPS.

Offline signing allows you put the key in a 24/7 guarded safe.

Most Certificate Authorities do online signing too. Just look at OCSP.
Pobably they only use that for their sub-CAs (that is the certificate of the intermediate you need when you deploy for HTTPS, etc.).

Does that now make you less or more concerned ?

Have a good weekend,
	Leen.