Updating my signed zonefiles

user31 · July 8, 2013, 2:32am

Hi,

Is there an easier way to update my signed zonefiles than having to do ldns-keygen -a RSASHA1_NSEC3 -b 1024 <domain> && ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k <domain> && ldns-signzone <domain> <zone signing key> <key signing key> over and over?

My setup is here: https://gist.github.com/kakekake89/5945810

Would appreciate general improvement advice as well. Just switched over from BIND, couldn't be happier.

O.D.

Matthijs_Mekking · July 8, 2013, 9:27am

Hi,

Hi,

Is there an easier way to update my signed zonefiles than having to do ldns-keygen -a RSASHA1_NSEC3 -b 1024 <domain> && ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k <domain> && ldns-signzone <domain> <zone signing key> <key signing key> over and over?

Not in NSD, it does support in-line signing. So you need something else
to do the signing for you. You might be interested in OpenDNSSEC to the
the DNSSEC stuff for you:

http://www.opendnssec.org/

Best regards,
Matthijs

Jan-Piet_Mens1 · July 8, 2013, 10:05am

Not in NSD, it does support in-line signing.

^ not

Jan-Piet_Mens1 · July 8, 2013, 10:07am

Is there an easier way to update my signed zonefiles than having to do
ldns-keygen -a RSASHA1_NSEC3 -b 1024 <domain> && ldns-keygen -a
RSASHA1_NSEC3 -b 2048 -k <domain> && ldns-signzone <domain> <zone
signing key> <key signing key> over and over?

If you invoke `ldns-keygen` every time you change a zone file, you are
generating NEW keys at each run. I very much doubt you really want that,
as you'd have to submit your DS RRset to the parent zone each time!

-JP

Matthijs_Mekking · July 8, 2013, 10:13am

Thanks

user31 · July 8, 2013, 10:22pm

Awesome, will look into that.

Thank you.

O.D.

user31 · July 8, 2013, 10:23pm

Cool, so say I need to edit /etc/nsd/mydomain.com at https://gist.github.com/kakekake89/5945810 -- all I need to do is "nsdc rebuild" afterwards and I'm all set?

O.D.

anandb · July 8, 2013, 10:33pm

Not quite. You haven't quite understood zone signing. Here's a summary:

1. You run ldns-keygen ONCE, to generate your ZSK and KSK.

2. You edit your zone, and then run ldns-signzone on it to sign it, and
load it into NSD.

3. Whenever you change your zone, you re-sign it with ldns-signzone, and
*then* run "nsdc rebuild".

user31 · July 8, 2013, 10:36pm

Hi,

I'm curious how everyone on this list sets up their NSD servers. Looking for interesting new ways to do things. Things I might have forgotten. Things I maybe shouldn't have added in the first place.

Would you guys mind sharing with us your setup?

I'll go first: https://gist.github.com/kakekake89/5945810

Thanks.

O.D.

user31 · July 8, 2013, 10:55pm

Oh right. Quite a nice process there. Thanks a lot man!

O.D.