Note:
Install knot
LC_ALL=C.UTF-8 add-apt-repository ppa:cz.nic-labs/knot-dns-latest
apt-get update
apt-get install knot
apt-get install knot-dnsutils
Create a directory to store zone files that'll be signed by knot such as /var/lib/knot/signed. In this example, making a zone for buffrr.forever at /var/lib/knot/signed/buffrr.forever.zone
buffrr.forever. 300 IN SOA ns1.buffrr.dev. contact.buffrr.dev. 1 10000 2400 604800 300
300 IN NS ns1.buffrr.dev.
300 IN A 164.90.158.119
_443._tcp 300 IN TLSA 3 1 1 591F4365F2EEC109514BE4B97E9BCC631D4DFE4B19E83139E33B55F4043A4324
Let's configure Knot to sign this zone edit /etc/knot/knot.conf:
# creating a signing policy called common that uses ed25519
policy:
- id: common
algorithm: ed25519
single-type-signing: on
template:
- id: default
storage: "/var/lib/knot"
file: "%s.zone"
# add new template "signed" that uses the common signing policy and /var/lib/knot/signed directory
- id: signed
storage: "/var/lib/knot/signed"
file: "%s.zone"
dnssec-signing: on
dnssec-policy: common
# You can add any zone here and it'll be signed automatically
zone:
# this will use the zone file stored at /var/lib/knot/signed/buffrr.forever.zone that we created earlier
- domain: buffrr.forever
template: signed
# add other zones in /var/lib/knot/signed/ and use them here
# - domain: example.forever
# template: signed
That's it now reload configuration
knotc reload
To get your DS records (you can just publish the first one the second DS uses a stronger digest algorithm but you can also publish both):
$ keymgr buffrr.forever ds
buffrr.forever. DS 53577 15 2 621f6648197ee8f76f92c702d289d333b8e61f246d9eea898ea2053947c9795e
buffrr.forever. DS 53577 15 4 777d416f921bf58907ae78fb221e26654bc3d466538f327b50b382f9c48df21d189113f1c9a738e1cbb9194808851517