Created
February 7, 2018 07:13
-
-
Save avigail-oron/892721b72d2b6d171ebcb5827794384a to your computer and use it in GitHub Desktop.
How to create a DNSSEC-signed zone (Linux)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Need to install bind utils, no need for bind itself for signing | |
| apt-get install bind9utils | |
| #Create a zone file with the EXACT NAME as the domain! Let's assume its xx.com | |
| #Note - we are using urandom to avoid the problem of not enough antropy. | |
| #In real life this option should be ommited so random will be used instead | |
| #Generate KSK for the xx.com zone: | |
| dnssec-keygen -r /dev/urandom -f KSK xx.com | |
| #Generate ZSK for the xx.com zone: | |
| dnssec-keygen -r /dev/urandom xx.com | |
| #open the zone file and include the 2 key files (KSK & ZSK) | |
| # $include Kxx.com.+{...}.key | |
| # $include Kxx.com.+{...}.key | |
| #Now we can sign the zone file using the KSK & ZSK private keys | |
| dnssec-signzone -o xx.com -g -k {KSK private} signed.com {ZSK private} | |
| #A new zone file is created called xx.com.signed | |
| #This file should be copied to BIND zone folder. Don't forget to add it to named.conf.local zone list | |
| #Another new file is dsset-xx.com. This file should be given to nameserver of parent zone / registrar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment