DNSSEC signatures
Matthew Seaman
matthew at FreeBSD.org
Thu Apr 11 16:30:39 UTC 2019
On 11/04/2019 16:57, James B. Byrne via freebsd-questions wrote:
> There are no other problems with these zones, yet. Does anyone know
> what steps that I have not taken that are required to get automatic
> inline zone resigning to work?
You don't show which of your keys are ZSK's and which are KSK's -- the
Zone Signing Keys are the ones that Bind will do all the automatic
maintenance for, as those generally get rotated on a monthly basis and
are used to sign the individual DNS RR's which probably change at an
even faster rate.
Key Signing Keys need manual update, since that is typically an anual
task that involves having your zone registrar update the DS records for
your domain synchronously with your performing a KSK rollover.
If your KSK is out-of-date then you'll need to generate a new one and
get it registered upstream ASAP, as the rest of the world (or at least
the bits of it that pay attention to DNSSEC) will not be able to see
your zone at all.
Use dnsviz.net for debugging: it's invaluable when working on setting
this up, and you should get in the habit of checking there at regular
intervals to be sure there aren't any problems.
I can heartily recommend Michael Lucas' "DNSSEC Mastery" as a slim
volume that will explain what you need to do and why. See:
https://mwl.io/nonfiction/networking#dnssec
Cheers,
Matthew
More information about the freebsd-questions
mailing list