DNSSEC - many doubts

Tony Finch dot at dotat.at
Thu Apr 2 16:23:45 UTC 2020


David Alexandre M. de Carvalho <david at di.ubi.pt> wrote:
>

A few hints and tips...

> my named.conf already has the following:
>
>         dnssec-enable yes;

You don't need this because it's on by default :-)

>         dnssec-lookaside auto;

You want to remove this because the DNSSEC lookaside validation service
has been decommissioned.

>         bindkeys-file "/etc/named.iscdlv.key";

I prefer not to configure this or install the file, instead relying on
BIND's compiled-in copy because that means one less thing to maintain.

> 2) I have one global "hosts" file and 3 reverse zone files, each for the
> respective IP network. Can I use the same Keypair in all of them?

Each zone should have its own zsk and ksk (two K*.key and K*.private files
for each zone).

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North
Channel: Northwesterly 4 to 6 backing westerly 3 to 5, then southwesterly 2 to
4 later. Smooth or slight in far north, but elsewhere slight or moderate.
Showers, wintry at first. Good, occasionally moderate.


More information about the bind-users mailing list