Setup a DNSSEC with my own public and private key
Manuel Gil Perez
manuel at dif.um.es
Fri Jun 25 17:43:31 UTC 2004
Hi Jim and thanks for your answer.
Of course, dnssec-keygen works fine.
I am the UMU-PKIv6 administrator (http://pki.umu.euro6ix.org) and I would
like use it to enroll my DNS server. Currently, the PKI publish certificates
and CRLs in a DNS (BIND 9.2.1) through the TSIG mechanism but I would like
to update to BIND 9.3.0 for using SIG(0), it is most sure. For this, I would
like to setup the DNS with my own keys.
Thanks.
----- Original Message -----
Sent: Friday, June 25, 2004 7:19 PM
Subject: Re: Setup a DNSSEC with my own public and private key
> >>>>> "Manuel" == Manuel Gil Perez <manuel at dif.um.es> writes:
>
> Manuel> Hi all. The dnssec-keygen tool permits to generate a
> Manuel> public and private key but I would like to create them
> Manuel> manually.
>
> Why? The tool is much better at doing this -- and getting it right! --
> than any manual process could hope to be. Few humans are good at
> base-64 encoding or exponentiation of 1024-bit integers.
>
> Manuel> How can I configure a DNSSEC with my own keys??
>
> Just use dnssec-keygen to generate them. Any other approach is doomed
> to failure or exceptional amounts of pain. Or both. :-) The naming
> convention and contents of the key files generated by BIND9's DNSSEC
> tools are important. This is so the signing tools and the name server
> know which files to use when they are signing data or generating DS
> records. You really don't want to get in the middle of this complexity.
>
> Some cans of worms are best left unopened. This is one of them.
More information about the bind-users
mailing list