Every once in a while, for example once a year, the KSK for each zone needs to be rolled over. This involves communication with the parent zone, making it a little more complicated than internal-only procedures.
Making backups is a regular task. Recovering from a backup is only done when both Hardware Securite Modules (or HSMs) have lost their data; if only one got damaged, follow the procedure for HSM replacement.
These are a few general thoughts about procedures and checklists, before diving into the detail level required by some of them. In general, we see procedures as predefined steps that can satisfy a checklist without further thought for an operator with normal skills. Procedures can be helpful because they take the creativity (and anxiety) out […]
We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]
Our signer publishes signed zones through BIND. We found that updates to BIND can get lost if their succession is too quick; and we solved it.
This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]
This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]
In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]