Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Deploying dnssec with bind 9.8.0
Fri 01 March 2013 — download

Good news : BIND is now able to automagically manage your keys! No more hackish cron stuffs, no mode need to use dnssec-tools.

Quick walkthrough

Keys generation

cd /etc/bind/dustri.org/
dnssec-keygen -f KSK -a RSASHA256 -b 2048 dustri.org
dnssec-keygen dustri.org

Edit your configuration

vim /etc/bind/named.conf
options {
[...]
    dnssec-enable yes;
    dnssec-validation auto;
    dnssec-lookaside auto;
}
zone "dustri.org"{
    type master;
    file "/etc/bind/dustri.org/db.dustri.org";
    key-directory "/etc/bind/dustri.org/";
    notify yes;
    update-policy local;
    auto-dnssec maintain;
    [...]
};

Conclusion

That's it, you've deployed DNSSEC, and BIND will manage your keys for you. You can now push (here if you're (like me) at OVH.) your key to your registrar to get it signed, and check that everything is fine here.