dnssec questions
CT
groups at obsd.us
Fri Aug 27 15:42:44 UTC 2010
I just migrated my dns server to bind 9.7.1-P2
KSK
dnssec-keygen -r /dev/urandom -a RSASHA256 -b 2048 -f KSK $zone
ZSK
dnssec-keygen -r /dev/urandom -a RSASHA256 -b 1024 $zone
SIGN
dnssec-signzone -S -C -g -a -H 10 -3 <salt> -K <dir> $zone
Per my isc class and the book I received by Jeremy C. Reid ..
you still need to "include" your keys in the zone file either
via
$include <dir>/KSK
$include <dir>/ZSK1
$include <dir>/ZSK2
or
(cat *.key > allkeys) which is what I have done..
$include <dir>/allkeys
I thought the use of -S (smart signing) that this was no longer
necessary ..?
Thx
Charles
More information about the bind-users
mailing list