Automated DNSSEC (command line)
Michael Sinatra
michael at rancid.berkeley.edu
Fri May 28 21:40:30 UTC 2010
On 05/28/10 14:18, Michelle Konzack wrote:
> Hello DNSSEC Experts,
>
> I am ongoing to install 4 new Name Servers and increse my registrar and
> hosting service...
>
> OK, I have tried to make my own 4 domains with 16 zones signed and it
> took me one hour of my life!
>
> Since I have to re-sign the zones if something change it will give me
> headaches up to the end of my life, so my queston is:
>
> Is there a command line tool (or a daemon) which
> check for changes and re-sign the zone automated?
Check out zkt (http://www.hznet.de/dns/zkt/).
There are a few more involved tools out there, but zkt sounds like what
you want.
> I can not believe, that you are signing each zone by hand! :-D
*I'm* not. :) (I use a combination of zkt and the BIND tools in an
automated script.)
> Can an expert please check 'dig ANY tamay-dogan.net' whether this is
> right?
Looks good to me. The sigs seem to be within their validity interval,
but there doesn't appear a DLV record in dlv.isc.org, so I can't
validate. (Actually, I *could* snarf the ksk from the ANY query and
manually configure it as a trust anchor, but I am lazy. Moreover, that
won't tell us if something goes wrong if/when you publish a trust-anchor
DLV record or DS record, when NET becomes signed.)
> Also I am not realy sure whether I need "dnssec-validation yes" in my
> "options".
For authoritative service, you don't need it. Only if you're running a
validating nameserver do you need it, and it's 'yes' by default in
recent versions of BIND. You still need to configure a trust anchor (or
anchors) if you want to do validation.
michael
More information about the bind-users
mailing list