DNSSEC Support
#447
Replies: 1 comment
-
|
This topic can now be closed - you had your chance :-) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
DNSSEC Support for NetBox DNS
One of the things I was planning for this year was to provide DNSSEC support in NetBox DNS. Over the last few weeks, I considered ways to assess that issue and I must admit that I'm stuck in some sense. Some bullet points:
Signing/Key Management
IMHO it does not make much sense to have NetBox DNS handle the key storage, signing, key rotation etc. as this is normally done elsewhere for a number of reasons.
netbox-secretsplugin) and would still not solve a general use case as the requirements and solutions for key storage vary widely across enterprises.Key Parametrisation
So my next approach was to include DNSSEC Key parameters such as the algorithm, key length, usage (ZSK/KSK/CSK), an NSEC3 flag etc. and make it possible to assign them to zones, as an input for automation mechanisms to control the generation of keys. That is a considerably lesser goal, but I'm not sure if it makes sense at all, so I thought I ask here.
For my part I currently use a boolean dynamic field "Enable DNSSEC" on
Zoneobjects and that's fine. But if there are more sophisticated requirements out in the wild (that means you :-)) I'd like to know and see what I can do to make it easier.Otherwise DNSSEC support might end up as an additional boolean field for zones, which looks pretty lame to me (but, as I said above, is fully sufficient for my case).
Beta Was this translation helpful? Give feedback.
All reactions