DNSSEC Zone Key Tool
ZKT is a tool to manage keys and
signatures for DNSSEC-zones. The Zone Key Tool consist of
two commands:
- dnssec-zkt to create and list dnssec zone
keys and
- dnssec-signer to sign a zone and
manage the lifetime of the zone signing keys
Both commands are simple wrapper
commands around the dnssec-keygen(8) and dnssec-signzone(8)
commands provided by BIND 9.3/9.4/9.5.
They are designed to solve some (especially my) problems in
maintaining a few dnssec aware zones. Before any use of the
Zone Key Tools it’s highly recommended to read the
following documents:
There are some minor
requirements if you want to use the dnssec-signer
command for automated key management and signing of your
zone:
- Every zone config has to be in a separate directory,
named just like the zone
- The SOA-Record have to be
written in a special format (see
zonedir/example.net/zone.db)
This is not a requirement if you are using a BIND version of
9.4 (or greater) in conjunction with the unixtime soa serial
format (see option "Serialformat" in the
dnssec.conf file) - The
dnssec-signer command must be called at least every
resigning interval (best done with a small
script run by cron(8))
- An
automated KSK rollover is done if the parent zone is on the
same host and a hierarchical directory structure is used.
Otherwise the KSK rollover procedure is working in a
semi-automated fashion (use dnssec-zkt
--ksk-rollover for that)
- All the state about
keys, time of resigning and so on, will be stored in the
filesystem. There is no online checking or any other form of
alignment with the published keys.
- Support of views
is still experimental
The dnssec-zkt command is not
primary designed for environments with many secure zones.
However, some tests with round about 12000 zones, stored in
a two level directory structure
(zonedir/<firstletter>/<domain>) shows that this
could be a working scenario. I did some perfomance
improvements and change the internal data structure of the
’dnssec-zkt’ command from a single linked list
to a binary tree to speed things up.
There is an intro about ZKT
(0.96)
compilation and initial setup
on the .SE website.
The source code of ZKT stands
under the BSD License.
Manpages
Both commands use the
dnssec.conf config file.
Mailing List
Here you can
subscribe
to the zkt users mailing list.
Browse the
archive
of zkt-users.
Download
You can download the software at
sourceforge
or at the following links:
- zkt-0.99c.tar.gz (1.
Aug 2009) Support of named change root environments; bug
fixes; Config file syntax and install directory changed!
- zkt-0.98.tar.gz
(28. Dec 2008) Support of the new BIND 9.6.0 features NSEC3
and dynamic zone signing
- zkt-0.97.tar.gz
(5. Aug 2008) Licence changed to BSD; Compressed tar file;
Use of configure for compile time config settings; automated
KSK rollover
- zkt-0.96.tar
(19. June 2008) Better (error) logging; Support of RFC5011
- zkt-0.95.tar (19. Apr 2008) Not public released
- zkt-0.94.tar
(6. Dec 2007) Support of views
- zkt-0.93.tar
(1. Nov 2007) Basic support of revoke bit; KSK registration
disabled by default; New command dnssec-soaserial added
- zkt-0.92.tar
(1. Oct 2007) Unixtime serial number support
- zkt-0.91.tar
(1. Apr 2007) ksk-rollover added to dnssec-zkt; Experimental
support of dynamic zones
- zkt-0.90.tar
(6. Dec 2006) Automatic zsk rollover added; Long opt support
- zkt-0.70.tar
(11. Sep 2005) btree support added
- zkt-0.5.tar
(1. Apr 2005) First public release
For FreeBSD users there is a
port available at the
zkt port maintainer site
or via the official
FreeBSD ports
repository.
(Thanks to Frank Behrens for maintaining the port)
OpenBSD users will find a port
at
openports.se
(Thanks to Jakob Schlyter for maintaining the port)
ZKT is also contributed with the
BIND source code since BIND 9.6.0a1
Links
Last modified: 4. Aug 2009 22:15 MEST