Problem with DNSSEC signing zone
Spain, Dr. Jeffry A.
spainj at countryday.net
Fri Jul 20 12:25:23 UTC 2012
> 1. Generated KSK and ZSK
> 2. Add both of keys at the end of my zone file
> 3. signing my zone with dnssec-signzone command
> 4. enable dnssec in named options
> 5. change the name of my zone in the named by namezone.signed
> 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
> 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
Also consider simplifying the process as follows:
1. Generate KSK and ZSK, setting timing metadata so that they are published and active. See dnssec-keygen and dnssec-settime.
2. Place the key files in a key directory on your server.
3. Add to your zone configuration: key directory "<path to key files>"; auto-dnssec maintain;
4. Generate DS records and provide them to your registrar.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list