Automated DNSSEC (command line)

Casey Deccio casey at
Fri May 28 21:43:54 UTC 2010

On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack <
linux4michelle at> wrote:

> Hello DNSSEC Experts,
> I am ongoing to install 4 new Name Servers and increse my registrar  and
> hosting service...
> OK, I have tried to make my own 4 domains with 16 zones  signed  and  it
> took me one hour of my life!
> Since I have to re-sign the zones if something change it  will  give  me
> headaches up to the end of my life, so my queston is:
>    Is there a command line tool (or a daemon) which
>    check for changes and re-sign the zone automated?
Yes, and you really should use one.  The two most important things with
signed zones are that your signatures don't expire, and that the right
DNSSEC RRs are included in the zone.  So not only does it need to be
resigned after changes (to include the proper DNSSEC RRs), but also
periodically make sure signatures don't expire.  Here are a few of the tools
written for that purpose:

> I can not believe, that you are signing each zone by hand!  :-D
> Can an expert please check  'dig ANY'  whether  this  is
> right?
Looks okay to me.  Here's what your signed zone looks like visually:

Although, it looks like you perhaps didn't increment the zone serial, as
only one of your authoritative servers is running a signed version of the

Also I am not realy sure whether I need  "dnssec-validation yes"  in  my
> "options".
No, this is only for resolvers that are validating answers, not
authoritative servers that are serving signed zones.

Of course, if you're using the server for both and you would like to enable
validation (i.e., of other signed zones), then you'll need to enable
validation and establish some trusted keys as anchors.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list