A beginner's guide to DNSSEC with BIND 9

[Jan-Piet Mens]

>A Beginner's Guide to DNSSEC with BIND 9.

Well done! A few comments, if I may:

1. in your zone stanzas you use the term "master" (type: master, ... masters {}). BIND has been updated already a while ago to support the term primary, e.g. `type primary;' and `primaries {};' (likewise for 'secondary'). It might be a good time to switch to the new nomenclature, particularly as you rightly call the primary primary and secondary a secondary :)

2. I tend to use `rndc reconfig' for re-configuration (after adding a new zone, say) rather than `reload', which I used when I wish named to load a modified primary zone.

3. on your primary you have an allow-transfer{} ACL for your secondary using its IP address. You might wish to look into using TSIG for that. 

4. note that `inline-signing' might go away and be replaced by dnssec-policy which you may wish to look into at some point.

5. I'm not familiar with the paths used by your Ubuntu distro, but the command at #6 appears to be incorrect:

	sudo ./etc/bind/named-checkconf named.conf.local

    named-checkconf(8) is likely in /usr/sbin and it will use a compiled-in default configuration file.

6. just as a FYI: instead of "and if you quickly type tail var/log/syslog" I typically `tail -f' (follow) the log file in a second window/pane/console or even in the same session in order to have logs show up immediately. :)

7. Instead of querying for the SOA (dig ... SOA +dnssec), I like querying for the DNSKEY RRset so that I see the key tags (key IDs): `dig @::1 example.com DNSKEY +dnssec +multi' (the +multi flag shows me the key types and tags, or use +nocrypto to omit the base64-encdoded stuff)

8. in the section on externally validating, I'd love to recommend dnsviz.net: I cannot think of another testing site which I would *pay* to use. These chaps are grand!


Feel free to talk to me off-list if I've not made sense.

Best regards,

	-JP