DNSSEC doubt

Jiaming Zhang J.Zhang at yiximeta.com
Thu Jun 22 19:08:19 UTC 2023 

Hi Daniel,

As far as from my experience, you’ll need to create a KSK and a ZSK first. But you can also use script to generate these key pairs. However, it is (at least with the few registrars I have experience) mandatory to enter your first DS record manually, and then you could use CDS (if they support querying CDS) for new keys.

A quick shell syntax for creating key pairs might be:
```bash
# domain=example.com
# root_keydir=/var/named/keys # use whatever you want as long as named has proper permission to access
# create key directory
mkdir -p "${root_keydir}/${domain}" && cd "${root_keydir}/${domain}"
# KSK
dnssec-keygen -a <key_algorithm> -b <keysize> -f KSK $domain
dnssec-keygen-a <key_algorithm> -b <keysize> $domain
# what I usually do also (to correct ownership), don't use this kind of wildcard if you keep everything in one dir:
crown named:named ./K*
# if not already done add config to your config file, with key-directory​ specified
# you can also store the DS record to file or send them via API but to retrieve them
dnssec-dsfromkey <your_newly_created_key_file>
```

Met vriendelijke groet / Best regards,
Jiaming Zhang

Yixi Meta
Email: J.Zhang at yiximeta.com
Website: yiximeta.com

De informatie in dit bericht is uitsluitend bestemd voor de geadresseerde. Aan dit bericht en de bijlagen kunnen geen rechten worden ontleend. Heeft u deze e-mail onbedoeld ontvangen? Dan verzoeken wij u het te vernietigen en de afzender te informeren. Openbaar maken, kopiëren en verspreiden van deze e-mail of informatie uit deze e-mail is alleen toegestaan met voorafgaande schriftelijke toestemming van de afzender. Het Yixi Meta staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer 85744115.

The content of this message is intended solely for the addressee. No rights can be derived from this message or its attachments. If you are not the intended recipient, we kindly request you to delete the message and inform the sender. It is strictly prohibited to disclose, copy or distribute this email or the information inside it, without a written consent from the sender. Yixi Meta is registered with the Dutch Chamber of Commerce trade register with number 85744115.
________________________________
Van: bind-users <bind-users-bounces at lists.isc.org> namens Daniel A. Rodriguez via bind-users <bind-users at lists.isc.org>
Verzonden: Thursday, June 22, 2023 7:47:55 PM
Aan: bind-users at lists.isc.org <bind-users at lists.isc.org>
Onderwerp: DNSSEC doubt

I wonder if it's mandatory make a manual deployment prior to an automated setup.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230622/6c5dde6f/attachment-0001.htm>

More information about the bind-users mailing list