Update DNSSEC Zone
ca at nodns4.us
Sun May 16 21:05:55 UTC 2021
On 2021-05-13 09:41, Software Info wrote:
> Wow. Thanks so much for all the responses. Really appreciate it. They
> made me truly realize that a lot on the info on the net may be either
> incomplete or just old. I understand a bit better now.
> I added the line inline-signing yes;
inline-signing is not required; you already had "update-policy local;"
which gives you a key to use with nsupdate(8)'s -l option. This is
a perfectly valid way to maintain zone data, and in my opinion much
better than editing zone files and inline-signing. You have taken a
This has the overview of both DNSSEC and dynamic zones:
See section "5.2. Dynamic Update". Also see the "auto-dnssec
maintain;" option described there. With a dynamic zone and
nsupdate, inline-signing is completely unnecessary.
For those who insist on editing zone files rather than learning how
to use nsupdate, I still recommend "update-policy local;" see Tony
Finch's post where he mentions his nsdiff tool.
> as was suggested and reloaded
> bind. I am now seeing the .signed, .jbk and .jnl files. The zone also
> replicates to the slaves and I am seeing the NSEC, RRSIG and DNSKEY
> entries in the zone files on the slaves. I also checked with the
> yogaDNS client and it had no problems identifying the DNSSEC server.
> So I would imagine at this point it is working. I believe as was said
> too I need now to register the DS with the registrar? Hopefully that
> should be it if I am not missing anything?
Yes, submitting the DS to the registrar is always the last step to
take in signing. It's best to be sure the signing is being done
before you tell the world to accept only signed data from your zone.
We see that a lot, BTW. :)
> Thanks so much again for the very informative replies.
And a highly opinionated one? :)
I'd also recommend the DNSSEC guide,
This is all on one page; or, the same document broken down in
sections can be seen here:
More information about the bind-users