hawaga.org.uk, I mentioned that signatures will expire after 30 days, and so I (or rather one of my computers) will need to re-sign the zone at least every month.
Basically I need to run the
dnssec-signzonecommand again, but there is some dancing around that needs to happen.
The most awkward was that I need to increment the zone serial number in the
SOArecord of my zone. Previously I've maintained this by hand, keeping it in format
YYYYMMDDNN(year, month, day, sequence-number-on-that-day). That format is quite appealing because even if I forget what number I got up to, I can wait a day and know that I have a number in sequence.
dnssec-signzoneoffers a couple of options for doing things to serial numbers, but neither was what I wanted: one will increment the input SOA by one, but I want to maintain a pristine source zone file; another will set the SOA to the number of seconds since the unix epoch. This changes the format away from what I want.
So I wrote a quick utility,
soatick, to generate zone serial numbers based on the current time and a state file, so that each invocation will generate a new serial number matching the format that I want:
$ ./soatick 2011010901 $ ./soatick 2011010902 $ ./soatick 2011010903
Now I'll use the
m4macro processor to put this in place before signing the zone:
export NEWSERIAL=$(/home/benc/src/soatick/soatick ) m4 -D___SERIAL___=$NEWSERIAL < db.hawaga.template > db.hawaga.generated /usr/sbin/dnssec-signzone -S -t -a -l dlv.isc.org -f db.hawaga.signed -o hawaga.org.uk db.hawaga.generated
I put the above in a script called from cron, and set it to run every week.
Now a weakness here is that I have to keep my signing key unpassworded and on a system connected to the internet. The zone-signing and key-signing key separation should help here, by allowing me to keep a more important key offline and a less important key online, but I haven't investigated it in any greater depth - perhaps I should...