Handbook DNS documentation clarification

Bob Faulkner torment at treborlogic.com
Sun Jun 14 14:45:33 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

In the handbook section on DNS (29.7), under the DNSSEC subsection
(29.7.3.4), subsection

29.7.3.4.2. Authoritative DNS Server Configuration

It is suggested to rename the generated key files to make it clear which
type of key the file contains:


"It is also possible to rename the keys. For each KSK file do:

% mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key
% mv Kexample.com.+005+nnnnn.private Kexample.com.+005+nnnnn.KSK.private

For the ZSK files, substitute KSK for ZSK as necessary. The files can
now be included in the zone file, using the $include statement. It
should look something like this:

$include Kexample.com.+005+nnnnn.KSK.key ; KSK
$include Kexample.com.+005+nnnnn.ZSK.key    ; ZSK"



In the next subsection:

29.7.3.4.3. Automation Using BIND 9.7 or Later

You are directed to generate keys as explained in section 29.7.3.4.2.
Authoritative DNS Server Configuration, and place those keys in a
directory to be specified in the configuration.

The problem is if you rename the key files as suggested in section
29.7.3.4.2. Authoritative DNS Server Configuration, bind will not load
the keys and therefore not sign the zone. I spent several hours trying
to debug why bind was not signing my zone when I decided on a hunch to
simply rename the key files back to the default format and bind then
began signing as expected. This should be noted in the subsection
29.7.3.4.3. Automation Using BIND 9.7 or Later so as to avoid anyone
else hitting this road block.


Thanks!

Bob Faulkner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBCAAGBQJVfZK6AAoJEEE5xLeoRUEkV4AH/jj2ETB9h/GC14PNFBc20m34
DNi5gFaGtxb+itkuSZkiKLVG9R+jBmo73ET/D/ILDATBqVnZPAn6G44cVnbejlSx
iSS9PIwkQMaxXSI6cOPHu3IhRO33DLEG9+RrTbDzGlnIhEWQk1xDeLhEKhdHfuGd
gxEo+DYgMBu0IeAqwv88FJeHa8RR+Djv68VBmAKcLdQCPzQNC1KRl7y1MSxls7uq
lRiMS/I2MY1PvJ43WITV8zAhxV6d6QaGd6cRuyyXoTBku90yR1XzY2/c9Tg6x+0n
Y9TOpOdiUQgQI56o/+N+XHcXcNSYtxI/v0i2jOu7KIXJchzGnfMiJFIoA7L/TfA=
=tEge
-----END PGP SIGNATURE-----

More information about the freebsd-doc mailing list