Good news : BIND is now able to automagically manage your keys! No more hackish cron stuffs, no mode need to use dnssec-tools.

Quick walkthrough

Keys generation

cd /etc/bind/dustri.org/
dnssec-keygen -f KSK -a RSASHA256 -b 2048 dustri.org
dnssec-keygen dustri.org

Edit your configuration

vim /etc/bind/named.conf
options {
[...]
    dnssec-enable yes;
    dnssec-validation auto;
    dnssec-lookaside auto;
}
zone "dustri.org"{
    type master;
    file "/etc/bind/dustri.org/db.dustri.org";
    key-directory "/etc/bind/dustri.org/";
    notify yes;
    update-policy local;
    auto-dnssec maintain;
    [...]
};

Conclusion

That's it, you've deployed DNSSEC, and BIND will manage your keys for you. You can now push (here if you're (like me) at OVH.) your key to your registrar to get it signed, and check that everything is fine here.

Artificial truth

archives | latest | homepage

Deploying dnssec with bind 9.8.0
Fri 01 March 2013 — download

Quick walkthrough

Keys generation

Edit your configuration

Conclusion