Fully automated DNSSEC with BIND 9.16
David Carvalho
david at di.ubi.pt
Tue Apr 11 10:02:08 UTC 2023
Hello, hope everyone is fine.
So it seems that going to Bind version 9.16 was the right call as it
simplifies DNSSEC a lot.
Nevertheless, I would like to clarify some things because our organization
has a parent domain and I host my own e-mail servers. I know they had
problems while implementing DNSSEC on the top domain, and some
configurations had to be made to let subdomain e-mail servers to still work
after DNSSEC.
Following RedHat tutorial, all I had to do was add "dnssec-policy default;"
into one of my zones for testing purposes. I'm not testing Reverse zones
yet.
After this, 3 files "Kmy.domain***" were created:
".key"
".private"
".state".
Three files regarding my zone were also created:
My.domain.signed
And the following 2, which I'm not sure what their purpose is
My.domain.jbk and my.domain.signed.jnl
There are also "managed-keys.bind" and "managed-keys.bind.jnl"
My questions:
1. Everytime I restart the service, it seems all these files are
recreated. Does this mean that every time I make a change in the host zone,
I need resend the public key to my top domain?
2. Do Parental Agents help with this?
3. Which format should I use when providing the key to the top level
domain?
dnssec-dsfromkey /var/named/Kexample.com.+013+61141.key
or
grep DNSKEY /var/named/Kexample.com.+013+61141.key
Kind regards
David Carvalho
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230411/6d2b6a27/attachment.htm>
More information about the bind-users
mailing list