So I wrote about half of a big long tutorial post in my usual disjointed fashion, with every other line down and I go back to fill in the gaps. I wanted to do something big and full of content, and I got impatient and wrote half, if not more, of a post before I realised I was doing it all wrong. Not technically wrong, but about the wrong technology.
I’ve spent the past week or so learning to wrangle DNSSEC and DANE (if you don’t know what those are, try their Wikipedia). I started with the basic BIND tools:
dnssec-signzone, et al. Good, solid, industry standards. If you can’t use these, you can’t use anything. Unfortunately, they’re very basic, and require lots of support tooling and throwing command-line arguments everywhere to do more than sign a zone once.
So, I looked around to see if people had written any tooling. OpenDNSSEC looked promising, until I discovered it requires a MySQL backend for proper usage. Ilmatar runs PostgreSQL and I have no particular desire to install MySQL just for one app (as mentioned in my first post on this blog). Further looking found DNSSEC-Tools. DNSSEC-Tools is a collection of Perl scripts that I had serious trouble dissecting, but it looked reasonable — so I tried that.
DNSSEC-Tools is what most of my aborted post was written about. How to sign zones, manage keys, manage key rollover, and even a bit about getting it working in practical terms on a modern distro. It was a bit clunky, with lots of hidden pitfalls, and I just didn’t like how it fit with the rest of my system — it felt like running Windows 3.1 on a cutting-edge octocore SLI gaming machine — but it worked. And then I started writing a small section comparing and contrasting with documentation for other DNSSEC implementations.
Enter PowerDNS. I used PowerDNS for a few years at a previous job, and I was… ambivalent about it. It had that same outdated feel to me — which I have since learned was the fault of the frontend I was using. PowerDNS is, well… powerful. But it’s also simple. Enabling DNSSEC on PowerDNS is literally as simple as
pdnssec secure-zone celti.name and your zone is signed. Not only that, it’s fast, and doesn’t use any more resources than the previous solution.
The domains celti.name and patrick.burroughs.name are now fully DNSSEC-enabled, running off PowerDNS as the authoritative master (and whatever Linode’s network uses for slaves). Instead of PowerAdmin, the PowerDNS frontend I’d learned to loathe, I’m using NSEdit. It’s fast, it’s secure, and it’s painless.
All that writing wasted, just for want of a little more patience. I could restart the tutorial, but the PowerDNS documentation is comprehensive and straightforward on the subject. Oh, well.
*[DNSSEC]: DNS Security Extensions *[DANE]: DNS-based Authentication of Named Entities *[BIND]: Berkeley Internet Name Daemon