Thanks for your interest in the matter !

There will be a PTG slot tomorrow at 15:00 UTC - https://etherpad.opendev.org/p/apr2024-ptg-designate
Please come and join the discussion around DNSSEC for Designate (or not).

See my comments and thoughts below ....

On 09.04.24 9:21 AM, Kees Meijs | Nefos wrote:

Why not use PowerDNS's automatic signing? It is able to transparently sign zones.

On 09.04.24 2:18 PM, Jeremy Stanley wrote:

BIND has automatic zone signing as well, for that matter. We use it
to sign the zones hosted from the opendev.org name servers. I even
use BIND's automatic functionality to provide DNSSEC for the domains
I host on my own personal name servers; I've never needed to manually
sign any of my zones.

Certainly BIND [1] , Knot [2] and PowerDNS [3] all can do automatic signing and zone maintenance.

Any following the bump-in-the-wire idea [4], they could simply do just that and sit between Designate mDNS and the actual secondaries. With catalog zones provisioning the zones, this could all be one happy DNS server family.
One downside is that the bump in the wire signing server has to be made HA somehow to not introduce a SPoF. PowerDNS seems to cover this nicely with a replicated database [5]? How would that work for BIND? Manually create keys and distribute them to multiple DNS servers?

Maybe Designate could leverage some aspect of the multi-signer model and the MUSIC protocol ...
* https://blog.apnic.net/2023/06/22/testing-the-multi-signer-dnssec-model-in-bind-9/
* https://github.com/DNSSEC-Provisioning/music
but that's a whole rabbit hole in itself.

To me the main questions in relation to Designate then are:

1) Could there be any integration with the signer server(s) to support such setups?

The provisioning of DNS zones on the signer could just work via catalog zone, so not much to do there.
But how will the end user receive their zones DS, DSKEY or CDS, CDSKEY records for them to configure in the parent zone [6]? Should this be something Designate would need to use it's implementation specific drivers for?
Or is there any way to make this implementation agnostic?

How could this look like without a single bump in the wire signer? Could Designate create keys and distribute them to all the secondary DNS servers for them to use for inline-signing?

2) Why not implement DNSSEC signing (via some existing libraries)?

Implementing DNSSEC itself allows for "dumb" secondaries to just work.

Regards

Christian

[1] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#enabling-automated-dnssec-zone-maintenance-and-key-generation
[2] https://www.knot-dns.cz/docs/2.6/html/configuration.html#automatic-dnssec-signing
[3] https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#dnssec-modes-of-operation
[4] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bump-in-the-wire-signing
[5] https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing
[6] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#working-with-the-parent-zone