# cd /etc/bind
Add these lines to your zone declaration in named.conf.local:
inline-signing yes; auto-dnssec maintain;
Then:
# mkdir /etc/bind/zones
# cd /etc/bind/zones
Here, create your zone file: example.com.db
# mkdir /etc/bind/keys # cd /etc/bind/keys # dnssec-keygen -a ECDSAP256SHA256 -b 4096 -f KSK example.com # dnssec-keygen -a ECDSAP256SHA256 -b 2048 example.com
# for key in `ls Kexample.com*.key`
do
echo "\$INCLUDE $key">> ../zones/example.com.db
done
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1 | cut -b 1-16) -N INCREMENT -o example.com -t ../zones/example.com.db # cd /etc/bind
Add to the zone "example.com" section in the file named.conf.local:
inline-signing yes;
auto-dnssec maintain;
Edit named.conf.options file, and add
key-directory "/etc/bind/keys";
to the options block.
# service named reload
# rndc loadkeys example.com # rndc signing -nsec3param 1 0 10 auto example.com
Check the zone.
$ dig DNSKEY example.com. @localhost +multilineAn online DNSSEC ckecker is available here:
https://dnssec-analyzer.verisignlabs.com
That's it!
ADDING SUBDOMAIN
- Add the subdomain records to the zone file, example.com.db.
- Sign the zone with dnssec-signzone as mentioned above.
- Restart named.
- Check the zone.
TROUBLESHOOTING
zone example.com/IN: journal rollforward failed: journal out of sync with zoneIf you get this error message, remove the jnl files and restart named.
- Log in to post comments
Link