From: Gert van Dijk Date: Sun, 31 Mar 2019 17:25:21 +0000 (+0200) Subject: docs: Add 'hidden master' approach in DNSSEC security X-Git-Tag: rec-4.2.0-rc1~45^2~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69e1e56a881295b2c51121dee14e0a422452932c;p=thirdparty%2Fpdns.git docs: Add 'hidden master' approach in DNSSEC security This approach is referred to in the public domain as well as once in the PowerDNS changelog, but not described in any way before this change. --- diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst index 25525eb054..a92abbaf95 100644 --- a/docs/dnssec/modes-of-operation.rst +++ b/docs/dnssec/modes-of-operation.rst @@ -122,12 +122,15 @@ PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL is derived from the SOA records *minimum* field. When using NSEC3, the TTL of the NSEC3PARAM record is also derived from that field. +.. _dnssec_presigned_records: + Pre-signed records ------------------ In this mode, PowerDNS serves zones that already contain DNSSEC records. -Such zones can either be slaved from a remote master, or can be signed -using tools like OpenDNSSEC, ldns-signzone, and dnssec-signzone. +Such zones can either be slaved from a remote master in online signing +mode, or can be pre-signed using tools like OpenDNSSEC, ldns-signzone, +and dnssec-signzone. Even in this mode, PowerDNS will synthesize NSEC(3) records itself because of its architecture. RRSIGs of these NSEC(3) will still need to diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst index a0687bcfc6..f3cfce1ce7 100644 --- a/docs/dnssec/operational.rst +++ b/docs/dnssec/operational.rst @@ -203,6 +203,16 @@ In some settings, having such (private) keying material available online is considered undesirable. In this case, consider running in pre-signed mode. +A slightly more complex approach is running a *hidden* master in simple +online signing mode, but on a highly secured system unreachable for the +public. Internet-connected slaves can then transfer the zones pre-signed +from this master over a secure private network. This topology offers +substantial security benefits with regards to key material while +maintaining ease of daily operation by PowerDNS's features in online +mode. + +See also :ref:`dnssec_presigned_records`. + Performance -----------