Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
opendnssec(7)		      OpenDNSSEC overview		 opendnssec(7)

NAME
       OpenDNSSEC - making DNSSEC easy for DNS administrators

SYNOPSIS
       ods-control start | stop

       ods-enforcer subcommand...

       ods-signer [subcommand...]

DESCRIPTION
       OpenDNSSEC  is  a  complete  DNSSEC zone	signing	system which maintains
       stability and security of signed	 domains.  DNSSEC  adds	 many  crypto-
       graphic	concerns  to  DNS; OpenDNSSEC automates	those to allow current
       DNS administrators to adopt DNSSEC.

       Domain signing is done by placing OpenDNSSEC between  the  place	 where
       the  zone  files	 are edited and	where they are published.  The current
       version of OpenDNSSEC supports files and	AXFR to	communicate  the  zone
       data;  effectively,  OpenDNSSEC	acts  as  a "bump in the wire" between
       editing and publishing a	zone.

       OpenDNSSEC has two daemons, which  are  unitedly	 started  and  stopped
       through	the  ods-control(8)  command.	The two	daemons	in turn	invoke
       other programs to get their work	done.

       One of the daemons is the KASP Enforcer,	which enforces	policies  that
       define  security	and timing requirements	for each individual zone.  Op-
       erators tend to interact	with the KASP  Enforcer	 a  lot,  through  the
       ods-enforcer(8) command.

       The  other  daemon  is  the Signer Engine, which	in turn	signs the zone
       content.	 It retrieves that content from	a file or  through  AXFR,  and
       publishes  a  signed  version  of the zone into a file or through AXFR.
       Direct interaction with the Signer Engine, although not normally	neces-
       sary, is	possible through the ods-signer(8) command.

       The keys	that sign the zones are	managed	by an independent  repository,
       which  is  accessed  over  a PKCS #11 interface.	 The principle idea of
       this interface being to unleash access to cryptographic hardware, there
       are implementations in software.	 Also, implementations range from open
       to commercial, and from very simple  to	highly	secure.	  By  default,
       OpenDNSSEC  is  configured  to run on top of a SoftHSM, but a few other
       commands	exist to test any Hardware Security Module that	may sit	 under
       the PKCS	#11 API.

OPERATIONAL PRACTICES
       The  approach  used  by OpenDNSSEC follows the best current practice of
       two kinds of key	per zone:

       KSK or Key Signing Key
	      This key belongs in the apex of a	zone, and is referenced	in the
	      parent zone (quite possibly  a  registry)	 in  the  form	of  DS
	      records  alongside NS records.  These parent references function
	      as trust delegations.

	      The KSK is usually a longer key, and it  could  harm  the	 effi-
	      ciency  of  secure  resolvers if all individual resource records
	      were signed with it.  This is why	it is advisable	to use the KSK
	      only to sign the ZSK.

	      In DNS records, the KSK can usually be recognised	by having  its
	      SEP (Secure Entry	Point) flag set.

       ZSK or Zone Signing Key
	      This  key	 also  belongs	in the apex of a zone, and is actually
	      used to sign the resource	records	in a zone.  It	is  a  shorter
	      key  for	reasons	of efficiency, that is rolled over on a	fairly
	      regular basis.  To detach	these rollovers	from the  parent,  the
	      ZSK  is not directly trusted by the parent zone, but instead its
	      trust is established by way of a signature by  the  KSK  on  the
	      ZSK.

       OpenDNSSEC  is  mindful	about  the period of validity of each key, and
       will rollover in	time to	keep the domain	signed,	with new keys, without
       any downtime for	the secure domain.  The	only thing that	is  not	 stan-
       dardised,  and  thus cannot be automated	at the moment is the interface
       between a zone and its parent, so this has  to  be  done	 manually,  or
       scripted	around OpenDNSSEC.

SEE ALSO
       ods-control(8),	 ods-enforcerd(8),  ods-enforcer(8),  ods-hsmspeed(1),
       ods-hsmutil(1), ods-kaspcheck(1), ods-kasp(5), ods-signer(8), ods-sign-
       erd(8), ods-timing(5), http://www.opendnssec.org/

AUTHORS
       OpenDNSSEC  was	made  by  the  OpenDNSSEC  project,  to	 be  found  on
       http://www.opendnssec.org/

OpenDNSSEC			 February 2010			 opendnssec(7)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=opendnssec&sektion=7&manpath=FreeBSD+Ports+14.3.quarterly>

home | help