Perl and new DNS zones

I spent today understanding the “best” way to deploy a DNS zone using perl for my own uses — I have a stealth primary and two public-facing secondaries. I’d like DNSSEC to work from day one with these domains, using BIND9’s standard stuff, and I’d like to pass knowledge of my zones to my secondaries via catalog zones. And I like eating dog food, so…

I threw out the idea of using rndc addzone for my new zones, because this doesn’t add your zone to a standard include file in a standard format (i.e. with my usual indentation), or comments. It is at least a human-readable file, but it’s got a weird-name (which is a hash of the view name).

Thus, the process looked something like this:

• Get the zonename.
• Get the sha1-hash of the wire-format of the name, for use with catalog zones:
  use Net::DNS::DomainName;
use Digest::SHA1 qw(sha1 sha1_hex sha1_base64);;
my $dn = new Net::DNS::DomainName($ARGV[0]);
my $hash = sha1_hex($dn->canonical);
• Write out a zonefile (using perl to generate an appropriate date-based serial number):
  my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
my $serial = ($year + 1900) . sprintf(“%02d”, ($mon + 1)) . sprintf(“%02d”, $mday) . ‘00’;
• Write a config snippet on to the end of my named.conf, that looks (with better indenting) like:
  zone “zonename.com” {
type master;
file “/etc/namedb/m/zonename.com.hosts”;
key-directory “/etc/namedb/keys”;
inline-signing yes;
auto-dnssec maintain;
};
• cd to my DNSSEC keys directory and generate two DNSKEYs.
• Parse the output of dnssec-keygen so I have the filenames to fix their ownership. (I’m running as root, but there’s no way in dnssec-keygen to specify a key owner).
• Call rndc reconfig to get named to load the zone.
• Call rndc sign zonename to get DNSSEC going.
• Do an nsupdate -l to add the appropriate $hash.zones.catalogzonename 3600 IN PTR zonename.com. to my catalog zone.

I found a few fun glitches in this process.

First, if you do this process a couple times, BIND will load those keys and stick them in .jnl and .jbk files that stick around even if you delete the keys, leading to an annoying process of blowing away all the journals and signed versions of the zone. I’ve raised this with a developer that there should be a simpler way to “reset” the keys of the zone.

Secondly, that putting inline-signing yes; is not enough to get a zone signed. It still takes an explicit “no, sign the thing” command, as you can see above.

Finding that there’s no way to tweak the owner of DNSSEC key files was annoying. (There are filesystem tricks I could do, but that’s a bit extreme).

And, honestly, bind9 could use a quick utility that generates the hash of a zonename — because not everyone knows how to easily put the name into wire format. Just as BIND ships with an “arpaname” utility, a “cataloghash” tool would be great. My experience has shown that you can actually use any label for your catalog zone name, but this wasn’t mentioned in the bind9 docs. Some of the internet drafts circulating will make the hashes less required, rather than more.

Overall, I wound up with a solid library of code that I can use both in my personal life as well as in my day job.