DNSSEC Generating Zone Key hanging
Mark Elkins
mje at posix.co.za
Sun Apr 22 16:03:42 UTC 2012
On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
> Thanks a lot, I have now resolved this issue. However, I was following
> the DNSSEC in 6 minutes guide [1]
> for learning purposes and I have followed all the steps up to "you are
> now serving DNSSEC signed zones".
Reading the presentation - which dates itself....
Slide 16, rather use
dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK)
Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.
This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120422/f00446cf/attachment.bin>
More information about the bind-users
mailing list