DNSSEC basic information
Tony Finch
dot at dotat.at
Tue Sep 24 10:03:31 UTC 2019
Mark Elkins <mje at posix.co.za> wrote:
>
> 2) When a Zone is signed, you will be given some DS Records - which need to be
> passed on for inclusion into the Parent Zone. Currently, BIND creates two DS
> keys.
> You'll find them inside "dsset-Zone.being.signed".
... if you are using dnssec-signzone, but I would not recommend that
because it is a lot more error-prone. Use `auto-dnssec maintain` in
`named` instead. If you like to edit zone files, also use `inline-signing`
(you don't need that if you just use dynamic updates).
Get the DS records for a zone using `dnssec-dsfromkey -2 -f <zonefile>
[zonename]`.
> 3) Adding "CDS" (Child versions of the DS record) into your zone is also a
> useful thing to do (I *think* BIND may do this automagically?)
You need to set the right timing parameters in the key files using
`dnssec-settime` so that CDS records are generated to match your rollover
timing. CDS records say what the DS records should be, so their timing
will generally not match the timing of KSK records.
The rollover bible is https://tools.ietf.org/html/rfc7583
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Portland, Plymouth, Biscay: West or southwest 5 to 7, occasionally gale 8
later except in Biscay. Moderate or rough, becoming rough or very rough,
occasionally high later in northwest Plymouth. Rain or thundery showers. Good,
occasionally poor.
More information about the bind-users
mailing list