Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

OpenDNSSEC is a system to manage zones. It takes in unsigned zones and policies and produces and maintains DNSSEC signed zones. OpenDNSSEC is responsible for signing, resigning, key generation, and fetching/distributing zones to and from nameservers.

The policies are defined in the KASP (Key And Signing Policies). These describe the configuration for DNSSEC such as key lengths and lifetimes. 


A OpenDNSSEC instance has 3 main components: HSM, Enforcer, and Signer.


The HSM (Hardware Security Module) provides storage of crypotographic keys. Whenever data needs to be signed by one of its keys, that data is transferred to the HSM, signed, and the signature transferred back. This way the private key material never needs to leave the device. OpenDNSSEC communicates with the HSM via PKCS11 and should be compatible with any device implementing that interface. The OpenDNSSEC project provides SoftHSM which is an entirely software implementation of a HSM via the same interface. If set up correct a real HSM will provide better security and performance. If neither is critical SoftHSM is a good alternative. 


The KASP Enforcer component manages the zones and their policies. It makes sure the needed keys are available on the HSM and precisely instructs the signer how to sign the zones. It is responsible for all timing related concepts in DNSSEC. It dictates when and in what order key rollovers happen. It is unaware of the contents of the zones but very aware of their state.


The signer handles the actual data of a zone. It will obtain unsigned zones either through files or over the network via XFR. Then it will sign the zones and when necessary refresh signatures on a regular basis. Signed zones are then output as a file or via XFR to a nameserver.

  • No labels