dyne / gitzone

git-based zone management tool for static and dynamic domains
https://www.dyne.org/software/gitzone/
GNU Affero General Public License v3.0
117 stars 20 forks source link

DNSSEC support #7

Open parazyd opened 5 years ago

parazyd commented 5 years ago

We should think about adding DNSSEC and zone signing support.

teadur commented 3 years ago

After introduction of inline-signing ( https://kb.isc.org/docs/aa-00626 ) is there still something blocking usage of dnssec with gitzone what i could be overlooking ?

dnssec-key generation sounds like only thing what needs to be managed externaly / implemented in gitzone.

jaromil commented 3 years ago

Isn't this cli utility doing the keygen? https://linux.die.net/man/8/dnssec-keygen

teadur commented 3 years ago

Isn't this cli utility doing the keygen? https://linux.die.net/man/8/dnssec-keygen

Yep that's correct, one possible solution to "support" dnssec would be to leverage dnssec-keygen to generate keys if they are missing for zones where dnssec is enabled, the question is should gitzone handle it or not.

jaromil commented 2 years ago

I think the best is to have gitzone list the zones:

  1. those without dnssec
  2. those with it and keys
  3. those with dnssec but without keys in place

if such a list is easy to parse via scripts, then generation can be further scripted and an example can be included in the docs.

I guess this is the best way to make the function transparent and actions confirmed by administrators.

This issue is looking for a contributor BTW, my knowledge or Perl is very scarce.