How to validate DNSSEC signed record with dig?

William Thierry SAMEN thierry.samen at gmail.com
Wed Feb 8 16:31:30 UTC 2012 

Thank you very much for your help i'm going to try it wright now.

2012/2/8 Spain, Dr. Jeffry A. <spainj at countryday.net>

> William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;'
> rather than explicitly signing the zone with dnssec-signzone. I believe I
> recall that you are using bind 9.8, so this should work for you as well.
> Here's something you can try:
>
> In your bind configuration use the following zone stanza:
> zone "toto.com" {
>        type master;
>        file "/var/lib/bind/toto.com/toto.com.db";
>        key-directory "/var/lib/bind/toto.com";
>        auto-dnssec maintain;
> };
>
> You will probably want to add some access control to this as well.
>
> Now in the directory /var/lib/bind/toto.com (or the directory of your
> choice as long as it is specified in the configuration above), place all of
> your *.key and *.private files. Also place your unsigned zone file
> toto.com.db with contents as follows (Omit the DNSSEC info you currently
> have at the bottom):
>
> $ORIGIN .
> $TTL 17200      ; 4 hours 46 minutes 40 seconds
> toto.com.     IN SOA  ns10.boom.fr. postmaster.boom.com. (
>                                2012020802 ; serial
>                                216000     ; refresh (2 days 12 hours)
>                                3600       ; retry (1 hour)
>                                3600000    ; expire (5 weeks 6 days 16
> hours)
>                                172800     ; minimum (2 days)
>                                )
>                        NS      ns.boom.fr.
>                        NS      ns2.boom.fr.
>                        A       217.128.32.85
> $ORIGIN toto.com.
> *                       A       217.128.32.85
>
> If you are running bind under a UID other than root, make sure all the
> files are readable, and that the zone file is writable, by that UID.
> Restart the bind service, and bind will sign your zone using the keys you
> have provided as long as their metadata is timed appropriately, i.e.
> Publish and Activate dates are in the past, and Inactive and Delete dates
> in the future. To see the metadata, execute 'dnssec-settime -p all
> your_key_file_name.private'. If you need to change the timing metadata, use
> dnssec-settime again. See the ARM for details. Caution: dnssec-setime will
> 'chmod 600' your private key files.
>
> I have been successful with this approach, and hope it works well for you
> also. Jeff.
>
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
>
>


-- 
Cordialement.
Thierry *SAMEN.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120208/65bbd409/attachment.html>

More information about the bind-users mailing list