From 0b2ac65fe1c62793aa021e9f5bf2b4fef18a9de6 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 14 Feb 2010 12:29:54 +0100 Subject: [PATCH] First draft of dnssec posting --- .../2010/02/Securing_the_Debian_zones.mdwn | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 input/dsablog/2010/02/Securing_the_Debian_zones.mdwn diff --git a/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn b/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn new file mode 100644 index 0000000..050714a --- /dev/null +++ b/input/dsablog/2010/02/Securing_the_Debian_zones.mdwn @@ -0,0 +1,65 @@ +[[!meta author="Peter Palfrader"]] + +We are in the process of deploying +[DNSSEC](http://www.dnssec.net/), +the DNS Security Extensions, on the Debian zones. This means properly +configured resolvers will be able to verify the authenticity of information +they receive from the domain name system. + +The plan is to introduce DNSSEC in several steps so that we can react +to issues that arise without breaking everything at once. + +We will start with serving signed debian.net and +debian.com zones. Assuming nobody complains loudly enough +the various reverse zones and finally the debian.org will +follow. Once all our zones are signed we will publish our trust anchors +in [ISC's DLV Registry](https://www.isc.org/solutions/dlv), again in +stages. + +The various child zones that are handled differently from our normal +DNS infrastructure +(mirror.debian.net, +alioth, +bugs, +ftp, +packages, +security, +volatile, +www) +will follow at a later date. + +We are using bind 9.6 for [NSEC3](http://www.nsec3.org/) support and +[our](http://db.debian.org/git/Net-DNS-SEC-Maint-Key.git/) +[fork](http://db.debian.org/git/Net-DNS-SEC-Maint-Zone.git/) +of RIPE's +[DNSSEC Key Management Tools](http://www.ripe.net/disi/dnssec_maint_tool/) +for managing our keys because we believe that it integrates nicely +with our +[existing DNS helper scripts](http://git.debian.org/?p=mirror/dns-helpers.git), +at least until something better becomes available. + +We will use NSEC3RSASHA1 with key sizes of 1536 bits for the KSK and +1152 bits for the ZSK. Signature validity period will most likely be +four weeks, with a one week signature publication period +(cf. [RFC4641: DNSSEC Operational +Practices](http://www.ietf.org/rfc/rfc4641.txt)). + +Zone keys rollovers will happen regularly and will not be announced in +any specific way. Key signing key rollovers will probably be announced +on the +[debian-infrastructure-announce](http://lists.debian.org/debian-infrastructure-announce/) +list until such time that our zones are reachable from a +[signed root](http://www.root-dnssec.org/). KSK rollovers for our own +child zones (www.d.o et al), once signed, will not be announced because +we can just put proper +[DS records](http://en.wikipedia.org/wiki/List_of_DNS_record_types#DS) +in the respective parent zone. + +See also: + +* [DNSSEC wikipedia page](http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions), +* [DNSSEC HOWTO, a tutorial in disguise (Olaf Kolkman, nlnetlabs)](http://www.nlnetlabs.nl/publications/dnssec_howto/index.html). + +Please direct questions or comments to either the debian-admin or, if +you want a more public forum, the debian-project list at +lists.debian.org. -- 2.20.1