Root Zone Keys


As stated on the project page, the root keys are used to sign the root zone. These keys need to be generated on the server. Before this is done, a directory structure needs to be agreed upon to store the keys in. This dir will also have 700 permissions. Currently I propose /etc/bind/dnssec/ with the zsk and zsk dir's inside.

The root keys need to be generated on ns0. The issue with the nature of OpenNIC is it's diversity. Thus trust of the actually creation of the keys is an issue. To solve this I propose the actuall key generation be done in a multi screen session. Once these keys are created a flat file called CREATED will be made with the date the keys were generated. This will then be used by a script to email the admins when the keys approach their expire date. The members who would witness are Brian and Jeff. Below are the commands that will be run to create the keys.

In the zsk dir:
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE .

In the ksk dir:
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 4096 -n ZONE -f KSK .

DNSSEC keys need to be regenerated every 3 to 6 months. The frequency we will follow is un-decided at this point. To regenerate we'll follow the same procedure as we did to create the keys.
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki