Adding a new domain with DNSSEC
Bjørn Mork
bjorn at mork.no
Sun Apr 10 11:37:39 UTC 2022
"@lbutlr" <kremels at kreme.com> writes:
> # dnssec-keygen -a 13 example,com
> # dnssec-keygen -f KSK -a 13 example,com
>
> Add $INLCUDE to the zone file for each of these 4 keys.
4? You've generated 2 key pairs. There should be only 2 public keys
included in the zone.
> dnssec-signzone: warning: keys/Kexample.com.+013+55923.private:1: unknown RR type 'v1.3'
Right. Don't publish anything named "private" in the zone file...
But I can recommend the automated zone maintenance instead, either using
the modern "dnssec-policy":
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#enabling-automated-dnssec-zone-maintenance-and-key-generation
or the older "auto-dnssec maintain". There's no need for any of the manual
steps you are doing.
Bjørn
More information about the bind-users
mailing list