How to validate DNSSEC signed record with dig?
William Thierry SAMEN
thierry.samen at gmail.com
Wed Feb 8 16:31:30 UTC 2012
Thank you very much for your help i'm going to try it wright now.
2012/2/8 Spain, Dr. Jeffry A. <spainj at countryday.net>
> William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;'
> rather than explicitly signing the zone with dnssec-signzone. I believe I
> recall that you are using bind 9.8, so this should work for you as well.
> Here's something you can try:
>
> In your bind configuration use the following zone stanza:
> zone "toto.com" {
> type master;
> file "/var/lib/bind/toto.com/toto.com.db";
> key-directory "/var/lib/bind/toto.com";
> auto-dnssec maintain;
> };
>
> You will probably want to add some access control to this as well.
>
> Now in the directory /var/lib/bind/toto.com (or the directory of your
> choice as long as it is specified in the configuration above), place all of
> your *.key and *.private files. Also place your unsigned zone file
> toto.com.db with contents as follows (Omit the DNSSEC info you currently
> have at the bottom):
>
> $ORIGIN .
> $TTL 17200 ; 4 hours 46 minutes 40 seconds
> toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. (
> 2012020802 ; serial
> 216000 ; refresh (2 days 12 hours)
> 3600 ; retry (1 hour)
> 3600000 ; expire (5 weeks 6 days 16
> hours)
> 172800 ; minimum (2 days)
> )
> NS ns.boom.fr.
> NS ns2.boom.fr.
> A 217.128.32.85
> $ORIGIN toto.com.
> * A 217.128.32.85
>
> If you are running bind under a UID other than root, make sure all the
> files are readable, and that the zone file is writable, by that UID.
> Restart the bind service, and bind will sign your zone using the keys you
> have provided as long as their metadata is timed appropriately, i.e.
> Publish and Activate dates are in the past, and Inactive and Delete dates
> in the future. To see the metadata, execute 'dnssec-settime -p all
> your_key_file_name.private'. If you need to change the timing metadata, use
> dnssec-settime again. See the ARM for details. Caution: dnssec-setime will
> 'chmod 600' your private key files.
>
> I have been successful with this approach, and hope it works well for you
> also. Jeff.
>
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
>
>
--
Cordialement.
Thierry *SAMEN.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120208/65bbd409/attachment.html>
More information about the bind-users
mailing list