[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records
Rene Bartsch
ml at bartschnet.de
Fri Sep 12 12:44:38 BST 2014
Am 2014-09-12 10:17, schrieb Jeroen van der Ham:
> Ah you mean you want to use DNSmasq to do the automatic translation
> from DHCP leases to DNS, and then automatically sign them. I would
> still advise you to use a secondary nameserver, unless you’re not
> running any mission-critical systems (in which case I think this is
> somewhat over the top)
You need secondary nameservers, of course. Secondary nameservers are
cheap or even for free. When I studied I was in a group of students each
running a root server as primary nameserver for his domain(s) and we
shared the root servers as secondary nameservers with each other.
> What I have trouble with though is that DNSSEC is not yet at a stage
> where it is easy to use. It certainly is still not easy to
> troubleshoot and pinpoint problems. This goes beyond having an easy
> interface to the DNS system itself, or automatic signing of records.
I'm running my three private domains with hosted DNSSEC without any
problem. The only drawback is my registrar does not provide DynDNS and
lacks some resource records - and Google Public DNS has a
wildcard-resolution bug. The main problem is registrars usually lack
important features for consumers, may mit be DNSSEC, DynDNS for dynamic
IPs, IPv6 glue-records, some resource records or a usable interface for
consumers.
My dream is a consumer router at which the consumer just enters his
public domain name(s) and the hostnames/IP addresses of Dnsmasq
instances he wants to be secondary nameservers (and provide secondary
nameserver service for). The router would just display the secondary
nameserver hostnames/Glue-Records and the Zone-Signing-Key or DS-Key to
be sent to the registry via the registrar. As the Key-Signing-Keys are
kept on the router you just have to check if the registry publishes the
correct ZSK/DS-record to be sure your zone has not been tampered with.
The router can even scan the hosts in the LAN for services (e.g. TLS)
and add records automagically (e.g. TLSA-RRs for DANE). In expert mode
additional records could be added manually.
--
Best regards,
Renne
More information about the Dnsmasq-discuss
mailing list