Automated DNSSEC (command line)
Casey Deccio
casey at deccio.net
Fri May 28 21:43:54 UTC 2010
On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack <
linux4michelle at tamay-dogan.net> wrote:
> Hello DNSSEC Experts,
>
> I am ongoing to install 4 new Name Servers and increse my registrar and
> hosting service...
>
> OK, I have tried to make my own 4 domains with 16 zones signed and it
> took me one hour of my life!
>
> Since I have to re-sign the zones if something change it will give me
> headaches up to the end of my life, so my queston is:
>
> Is there a command line tool (or a daemon) which
> check for changes and re-sign the zone automated?
>
>
Yes, and you really should use one. The two most important things with
signed zones are that your signatures don't expire, and that the right
DNSSEC RRs are included in the zone. So not only does it need to be
resigned after changes (to include the proper DNSSEC RRs), but also
periodically make sure signatures don't expire. Here are a few of the tools
written for that purpose:
http://dnssec-tools.org/
http://www.opendnssec.org/
http://www.hznet.de/dns/zkt/
http://zonetool.sourceforge.net/
> I can not believe, that you are signing each zone by hand! :-D
>
> Can an expert please check 'dig ANY tamay-dogan.net' whether this is
> right?
>
>
Looks okay to me. Here's what your signed zone looks like visually:
http://dnsviz.net/d/tamay-dogan.net/dnssec/
Although, it looks like you perhaps didn't increment the zone serial, as
only one of your authoritative servers is running a signed version of the
zone.
Also I am not realy sure whether I need "dnssec-validation yes" in my
> "options".
>
>
No, this is only for resolvers that are validating answers, not
authoritative servers that are serving signed zones.
Of course, if you're using the server for both and you would like to enable
validation (i.e., of other signed zones), then you'll need to enable
validation and establish some trusted keys as anchors.
Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100528/915be220/attachment.html>
More information about the bind-users
mailing list