Procedure: Normal KSK rollover and parent sync

Written by Rick van Rein in category: Procedures, Resilience, Security

Every once in a while, for example once a year, the KSK for each zone needs to be rolled over. This involves communication with the parent zone, making it a little more complicated than internal-only procedures.

No Comments

Procedure: Key backup and recovery

Written by Rick van Rein in category: Crypto, Procedures

Making backups is a regular task. Recovering from a backup is only done when both Hardware Securite Modules (or HSMs) have lost their data; if only one got damaged, follow the procedure for HSM replacement.

No Comments

Thoughts on procedures and checklists

Written by Rick van Rein in category: Procedures, Technical

These are a few general thoughts about procedures and checklists, before diving into the detail level required by some of them. In general, we see procedures as predefined steps that can satisfy a checklist without further thought for an operator with normal skills. Procedures can be helpful because they take the creativity (and anxiety) out […]

No Comments

Actor responsibilities towards DNSSEC

Written by Rick van Rein in category: Procedures, Security, Technical, Users

We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]

No Comments

Reloading signed zones into BIND

Written by Rick van Rein in category: Procedures, Resilience, Technical, Timing

Our signer publishes signed zones through BIND. We found that updates to BIND can get lost if their succession is too quick; and we solved it.

No Comments

HOWTO turn BIND into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]

2 Comments

HOWTO turn Unbound into a Validating Resolver

Written by Rick van Rein in category: Procedures, Security, Technical, Users

This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]

2 Comments

Access control (#2: the signer)

Written by Roland van Rijswijk in category: Architecture, Policy, Procedures, Security

In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]

No Comments