DNSSEC: Configuring auto-signed dynamic zone

Eugene Crosser crosser at average.org
Mon Feb 15 18:08:56 UTC 2010


Hello everyone, I am new here.

I am running a manually signed zone (average.org) for my domain for some
time now. I also have a separate subdomain zone (dyn.average.org) that
allows dynamic updates, and that is currently not signed. Bind version
is 9.5.1. (debian stable).

I would like to make dynamic zone automatically signed.
I did not find any documentation about how to do that, but from reading
the manuals and other people's notes in this maillist, I figured that I
probably need to put both private and public keys for the zone in a
directory configured as "key-directory" and make them readable to the
bind's userid. But what else?
 - do I need to sign the zone initially by hand?
 - do I need to insert the DNSKEY public key record into the zone
 - or should I include it into the "upper" zone?

I don't want to make private KSK readable by bind, only ZSK for this one
zone. So, apparently I need to arrange things in such a way that DNSKEY
for dyn.average.org is signed manually. Will it suffice to put it into
average.org zone and re-sign it manually?

What else do I need to take care of?

Thanks in advance!

Eugene

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100215/47cf2fe5/attachment.bin>


More information about the bind-users mailing list