KROd - the keyrollover daemon
KROd is a program that performs automatic DNSSEC keyrollover and automatic conversion from DNS to DNSSEC. Doing KSK or ZSK keyrollover can become quite complicated, KROd is there to automate that process. It has the following features:
- handles ZSK rollover
- handles KSK rollover and it communicates securely with the parent server to ask for the keyset update
- most key/signing params can be specified to KROd
- a control channel ala zebra.
- can be used to migrate a normal DNS zone to a DNSSEC zone quite easily (KROd does nearly all the key/signing jobs for you)
- can save and reread its configuration, it is useful when a crash occurs (note: at the moment KROd is not completly stateful)
- it is highly experimental(this feature is the most interesting one)
- KROd works on BIND 9.3 configuration files, and requires a RFC2535bis aware DNS server (NSD is also capable of this but KROd doesn't handle yet that kind of configuration files ).
- KROd uses DNSsecToolkit to perform DNSSEC related operations. So you need to have what is required by DNSsecToolkit:
- a working openSSL(BIND with DNSSEC already requires this)
- BIND 9.3 sources + libbind compiled statically without libtool(default behaviour) if your OS doesn't have reentrant resolv functions(res_nmkquery, etc...)
- a TLS aware GCC if you want TLS support( DNSsecToolkit provides a complete emulation if TLS support is not found )
- In the current state, a quite good knowledge of DNSSEC is required to use KROd