Hi Christian, I definitely think we should consider enhancing Designate to support DNSSEC. Bump-in-the-wire may be an interim solution, but I think we should pursue a native solution. This topic is on our PTG etherpad. We definitely can cover both topics. What time during our session works best for you? Michael On Tue, Mar 26, 2024 at 1:17 PM Christian Rohmann <christian.rohmann@inovex.de> wrote:
Hello,
I was wondering is anybody knew about the current state of DNSSEC signing for Designate-managed zones. Since Designate MDNS serves as primary they actually should do the signing / provide already signed zones via zone transfers. Adding support for DNSSEC this was last discussed for Kilo [1], but that spec was never finished, DNSSEC support never implemented.
One approach to do this is using a bump in the wire signer [2][3][4] and have an intermediate BIND9 or Knot server doing the signing. Has anybody implemented something of this kind? If so, how do your users receive their initial DS / DNSKEY for the parent zone?
Regards
Christian
[1] https://review.opendev.org/c/openstack/designate-specs/+/132571 [2] https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bump-in-the-wire-si... [3] https://jpmens.net/2023/07/22/adieu-opendnssec-bienvenido-knot-dns/ [4] https://labs.ripe.net/author/anandb/dnssec-signer-migration/