Download Latest Version DSKM-1.0.tar.gz (96.5 kB)
Email in envelope

Get an email when there's a new version of DSKM

Home
Name Modified Size InfoDownloads / Week
README 2012-08-21 8.5 kB
DSKM-1.0.tar.gz 2012-08-21 96.5 kB
DSKM-1.0rc3.tar.gz 2012-06-17 95.6 kB
DSKM-1.0rc2.tar.gz 2012-06-13 95.3 kB
DSKM-1.0rc1.tar.gz 2012-05-31 95.7 kB
Totals: 5 Items   391.6 kB 1
DSKM DNSsec Key Management
 
 Copyright (c) 2012 Axel Rau, axel.rau@chaos1.de

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.


Purpose:
    DNSsec key management add-on to ISC bind 9.9.x for zones with
        auto-dnssec maintain;
        inline-signing yes;
    .Creates and deletes keys, submits delegation signer (DS) resource records
    or public DNSKEYs to parent.
    Zones may be local, public or reverse (IP4 or IP6).

Requirements:
    bind 9.9.1+ http://www.isc.org/software/bind
    python 3.2+ http://www.python.org/download/
    pycrypto    http://www.pycrypto.org/
    dnspython   http://www.dnspython.org/
    script      http://lamb.cc/script/

Installation:
    After installation of the required software, unpack the DSKM tar archive.
    Move the file dnssec_key_maintenance.py and the directory DSKM to the place
    where your cron scripts live.
    Query usage of the main program at top level:
    
    root# python3 dnssec_key_maintenance.py -h
    Usage: dnssec_key_maintenance.py [options]
    
    Purpose: Do maintenace of DNSsec keys.
     Create and delete them as necessary.
    Submit/cancle DS-RR to/at parent registrar.
    
    Options:
      -h, --help            show this help message and exit
      -c, --cron            Run as cronjob. Each run increments timeout timer.
      -v, --verbose         
      -d, --debug           
      -s STOPSIGNINGOFZONE, --stopSigningOfZone=STOPSIGNINGOFZONE
                            Initiate procedure to make a zone unsigned. Argument
                            is zone name.
      -f, --force           Force deletion of keys (ignore delete time) while
                            stopping signing of zone
      -r, --registrar_status
                            Query list of completed and pending requests of all
                            registrars and terminate
      -q QUERY_STATUS, --query_status=QUERY_STATUS
                            Give detailed registrar result status about <request-
                            id>.

Configuration:
    named.conf  DSKM requires all managed zones to share a common root.
                There is one directory per zone, which contains zone file,
                keys, bind journal files and DSKM config and status files, e.g.:
                    /var/named/master/signed/example.com
                    /var/named/master/signed/sub.example.com
                Corresponding named.conf fragments could look like:
                    options {
                        dnssec-enable yes;
                        dnssec-validation yes;
                        directory "/var/named";
                        ...
                    }
                    
                    zone "example.com" IN {
                        type master;
                        file "master/signed/example.com/example.com.zone";
                        key-directory "master/signed/example.com/";
                        auto-dnssec maintain;
                        inline-signing yes;
                        allow-query {
                            any;
                        };
                    };
                    
                    zone "sub.example.com" IN {
                        type master;
                        file "master/signed/sub.example.com/sub.example.com.zone";
                        key-directory "master/signed/sub.example.com/";
                        auto-dnssec maintain;
                        inline-signing yes;
                        allow-query {
                            any;
                        };
                    };
    
    zone file   In case you have a local subdomain, insert something like
                    sub                 IN  NS  localhost.
                    $include "master/signed/example.com/sub.example.com.ds"
                The included file must be empty (will be updated by DSKM).
                Local domain, means an internal domain with local trust anchor
                ("Registrar = Local" in example.com/dnssec-stat-example.com - see below)
                
    DSKM/conf.py
                Please review the DSKM config file carefully:
                master A
                    A list IPs where the (hidden) master may be reached by the script
                external_secondaries
                    A list of NS addresses of your public secondaries
                external_recursives
                    A list of NS addresses of public, validating NS
                registrar
                    Dict of dicts with account data, one per registrar.
                    Initially implemented is
                        Joker for Joker.com see http://www.joker.com and
                        Ripe (not really a registrar, but European
                            Regional Internet Registry)
                        (Names must be written literally as above)
                sender, recipients, mailRelay for alarming mails, if run as cron job.
                ROOT_PATH
                    root of zone directories
                
                The other timing and crypto constants should be self explaining.
		The key timing constants are 'sticky': Changing them in DSKM/conf.py
		does not affect active zones.
		The secure way to apply changed timing data to active zones would be
		to stop signing and start over with a vanilla conf file ( see below).
        
    example.com/dnssec-conf-example.com
                If you run the script with an empty zone directory (example.com),
                it creates 2 files there:
                    example.com/dnssec-conf-example.com
                    example.com/dnssec-stat-example.com
                You must then put the zone file there and edit the dnssec-conf-*
                file, which initial content is:
                    {
                        "Registrar": "Local", 
                        "Method": "unsigned"
                    }
                'Registrar' may be one of 'Local', 'by hand', 'Joker' or 'Ripe'.
                	'Local' is zone with local trust anchor (private net etc.)
                	'by hand' is zone for which handover of DS-RR/DNSKEY-RR to
                		parent is done by human on behalf of an email sent by DSKM.
                'Method must be changed to 'NSEC' (currently only).
                If you then run the script, it will create the initial keys and
                named will start signing the zone:
        root# python3 dnssec_key_maintenance.py -v
        [Scanning /var/named/master/signed]
        [Working at 2012-05-31T15:01:33.932455 on example.com (com )]
        Generating key pair..............+++ ...........+++ 
        [Key Kexample.com.+008+26482.key created.]
        [example.com/KSK/26482/-1(A:2012-05-31T15:01:33, I:2012-06-02T15:01:33, D:2012-06-03T15:01:33)]
        Generating key pair.....................++++++ .............++++++ 
        [Key Kexample.com.+008+27330.key created.]
        [example.com/ZSK/27330/-1(A:2012-05-31T15:01:34, I:2012-06-01T15:01:34, D:2012-06-02T15:01:34)]
        [State transition of example.com/KSK from -1 to 0(KSK1 created) after 0 retries]
        [State transition of example.com/ZSK from -1 to 0(ZSK1 created) after 0 retries]
        root# 
                Debug- and informal messages are in square brackets, warnings start with '%' and
                errors start with '?'.
                The 3 timestamps per key are Active (start signing with this key), 
                Inactive(stop using this key for sigs) and Delete (remove key from DNSKEY rset).
    
    crontab:    Something like
                    # hourly DNSsec key maintenance
                    55  *   *   *   *   root    /usr/local/bin/python3 \
                    /usr/local/cronscripts/dnssec_key_maintenance.py \
                    -v -c >>/var/log/DSKM/dnssec_key_maintenance.log >&1
                will do.
                
Source: README, updated 2012-08-21