On 2/12/19 11:49 PM, Paul R. Ganci wrote:
Okay so I misunderstood the message I was getting when I checked my
DNSSEC setup via http://dnsviz.net/. What you are telling me is that
all I had to do was re-sign the zone files but that it was not
necessary to generate new keys. This point is definitely one that I
missed.
I too run my own authoritative nameservers. I was following the
Digital Ocean procedure to setup DNSSEC:
Key rotation and signature rotation are separate concerns. Most users
should be able to significantly simplify signature rotation using bind's
built-in signing management, rather than using dnssec-signzone. You can
define your zone like so:
zone "example.net" IN {
type master;
file "dynamic/db.example.net";
update-policy local;
key-directory "keys/example.net";
inline-signing yes;
auto-dnssec maintain;
};
...and then either replicate your zone to a public-facing host, or
export and manually copy the zone (maybe "dig @localhost example.net -t
axfr"?)
Manual signing is probably only useful if you want your DNSSEC key files
kept on a system that isn't connected to a network, for security
reasons, and you have another process for publishing the signed zone files.
(Newer bind releases have a python tool to manage key rotation. I use
this one: https://bitbucket.org/gordonmessmer/update-dns-keys/)
So doesn't ldns-signzone create the same kind of digest that requires
it be uploaded to the registrar?
Yes, I think so. If I understand you properly.
So maybe I asked the wrong question. Is there a way to re-sign the
zone files without having to recreate the information found in that
dsset-domain.tld. file and uploading it to the registrar?
If you mean the DS records, those should be stable as long as you have
the same KSK, so there's nothing *new* to upload when your zones are
re-signed.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
