Setup a DNSSEC with my own public and private key
Edward Lewis
edlewis at arin.net
Fri Jun 25 18:27:24 UTC 2004
If you do want to go it alone, look at these docs for starters:
http://www.ietf.org/rfc/rfc2536.txt for an example of the DSA spec.
RFC 2535 describes more, but it is outmoded, being replaced by these soon:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-intro-10.txt
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-records-08.txt
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-protocol-06.txt
There's more work to do that what's there though. You'd then have to
figure out how to integrate with BIND's tools. Those documents are
written for DNS, not (just) the BIND implementation.
At 18:19 +0100 6/25/04, Jim Reid wrote:
>>>>>> "Manuel" == Manuel Gil Perez <manuel at dif.um.es> writes:
>
> Manuel> Hi all. The dnssec-keygen tool permits to generate a
> Manuel> public and private key but I would like to create them
> Manuel> manually.
>
>Why? The tool is much better at doing this -- and getting it right! --
>than any manual process could hope to be. Few humans are good at
>base-64 encoding or exponentiation of 1024-bit integers.
>
> Manuel> How can I configure a DNSSEC with my own keys??
>
>Just use dnssec-keygen to generate them. Any other approach is doomed
>to failure or exceptional amounts of pain. Or both. :-) The naming
>convention and contents of the key files generated by BIND9's DNSSEC
>tools are important. This is so the signing tools and the name server
>know which files to use when they are signing data or generating DS
>records. You really don't want to get in the middle of this complexity.
>
>Some cans of worms are best left unopened. This is one of them.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
"I can't go to Miami. I'm expecting calls from telemarketers." -
Grandpa Simpson.
More information about the bind-users
mailing list