Hi, I’m trying to configure a DNSSEC for an auth-zone
But I can’t find any doc about it.
There is a way to enable DNSSEC for auth-zone or local-zone?
Like a signed zone in BIND or NSD does?
So, I can do a ‘dig @ip-dns-server example.com +dnssec’
Hi, I'm trying to configure a DNSSEC for an auth-zone
But I can't find any doc about it.There is a way to enable DNSSEC for auth-zone or local-zone?
Like a signed zone in BIND or NSD does?
So, I can do a 'dig @ip-dns-server example.com +dnssec'
The command your looking for is "drill". 
# drill -h
drill version 1.7.0 (ldns version 1.7.0)
Written by NLnet Labs.
Copyright (c) 2004-2008 NLnet Labs.
Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
Usage: drill name [@server] [type] [class]
<name> can be a domain name or an IP address (-x lookups)
<type> defaults to A
<class> defaults to IN
arguments may be placed in random order
Options:
-D enable DNSSEC (DO bit)
-T trace from the root down to <name>
-S chase signature(s) from <name> to a known key [*]
-I <address> source address to query from
-V <number> verbosity (0-5)
-Q quiet mode (overrules -V)
-f file read packet from file and send it
-i file read packet from file and print it
-w file write answer packet to file
-q file write query packet to file
-h show this help
-v show version
Query options:
-4 stay on ip4
-6 stay on ip6
-a fallback to EDNS0 and TCP if the answer is truncated
-b <bufsize> use <bufsize> as the buffer size (defaults to 512 b)
-c <file> use file for rescursive nameserver configuration
(/etc/resolv.conf)
-k <file> specify a file that contains a trusted DNSSEC key [**]
Used to verify any signatures in the current answer.
When DNSSEC enabled tracing (-TD) or signature
chasing (-S) and no key files are given, keys are read
-o <mnemonic> set flags to:
[QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]
lowercase: unset bit, uppercase: set bit
-p <port> use <port> as remote port number
-s show the DS RR for each key in a packet
-u send the query with udp (the default)
-x do a reverse lookup
when doing a secure trace:
-r <file> use file as root servers hint file
-t send the query with tcp (connected)
-d <domain> use domain as the start point for the trace
-y <name:key[:algo]> specify named base64 tsig key, and optional an
algorithm (defaults to hmac-md5.sig-alg.reg.int)
-z don't randomize the nameservers before use
[*] = enables/implies DNSSEC
[**] = can be given more than once
ldns-team@nlnetlabs.nl | http://www.nlnetlabs.nl/ldns/
# drill -TD host.some.domain
# drill -D @www.xxx.yyy.zzz host.some.domain
HTH
--Chris
Hi, I had a misunderstanding.
drill is better than dig, I know, it was just an example of command.
In my conception, zones were auto signed by the daemon, Then I figured out this was a mistake.
Zones are signed using tools, like dns-keygen, ldns-keygen and more.
I was able to find LDNS and examples like ldns-keygen, ldns-signzone.
Since I use C in my system, I was able to read the code and I could get perfect work.
Only needed to create functions for my buffer, because I don’t use struct FILE *.
I made a sign function with user interaction and my beautiful interface.
Then I know, I need the KSK and ZSK (key and private).
Using these keys I read the zone and sign every RR.
And done, zone signed!
Changed the zonefile to the new one.
Restart the service.
After I put the DS in my registar.
Thanks for the help.