Adding a new domain with DNSSEC
Bjørn Mork
bjorn at mork.no
Sun Apr 10 16:52:15 UTC 2022
"@lbutlr" <kremels at kreme.com> writes:
> On 2022 Apr 10, at 05:37, Bjørn Mork <bjorn at mork.no> wrote:
>> "@lbutlr" <kremels at kreme.com> writes:
>>
>>> # dnssec-keygen -a 13 example,com
>>> # dnssec-keygen -f KSK -a 13 example,com
>>>
>>> Add $INLCUDE to the zone file for each of these 4 keys.
>>
>> 4? You've generated 2 key pairs. There should be only 2 public keys
>> included in the zone.
>
> Ah, right, of course. I knew it was something dumb.
>
>> But I can recommend the automated zone maintenance instead, either using
>> the modern "dnssec-policy":
>
> I do have that set, but getting the domain setup in the first place seemed to still be necessary.
Should not be required. Keys will be generated and published according
to the policy, and the zone will be automatically signed. See:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
> Now to find the DS key...
If you use the default policy then you'll have a CDS record for your
upstream.
Or you can run
dnssec-dsfromkey Kexample.com.+013+*.key
(replacing the input with your public KSK file, of course)
Bjørn
More information about the bind-users
mailing list