Posted Sep 20, 2012 13:26 UTC (Thu) by job (guest, #670)
Parent article: LSS: DNSSEC
I am not convinced zone walking is a problem. You should not publish private data in DNS. But even if it is a problem, it is a solved problem since a few years back: Just generate NSEC3 records instead of NSEC when you sign your zone. This scheme returns the hash of the next existing secure record instead of the record itself. The client can check that a hash of the request falls inside this range.
OpenDNSSEC is probably great software but it is clearly geared against larger hosting operations, when a large number of zones needs to be automated and your keys are in hardware storage. I find dnssec-signkey a bit more straightforward to use when you need to understand what you're doing. But there is an even easier way.
BIND has an auto-dnssec feature that can sign your zones and roll over signatures as needed. It is all done automatically. The drawback is that you need to store your keys on your DNS server, but for smaller or hobby operations that might not be so bad. In 9.9 you can do this with non-dynamic zones in inline-signing mode.
Just remember that DNSSEC is one more moving part that can break, and be sure to add checks to your Nagios (or equivalent) to make sure you get notified if your zone has passed the re-sign date (but before it expires).