On 05/28/10 14:18, Michelle Konzack wrote:
Hello DNSSEC Experts,
I am ongoing to install 4 new Name Servers and increse my registrar and
hosting service...
OK, I have tried to make my own 4 domains with 16 zones signed and it
took me one hour of my life!
Since I have to re-sign the zones if something change it will give me
headaches up to the end of my life, so my queston is:
Is there a command line tool (or a daemon) which
check for changes and re-sign the zone automated?
Check out zkt (http://www.hznet.de/dns/zkt/).
There are a few more involved tools out there, but zkt sounds like what
you want.
I can not believe, that you are signing each zone by hand! :-D
*I'm* not. :) (I use a combination of zkt and the BIND tools in an
automated script.)
Can an expert please check 'dig ANY tamay-dogan.net' whether this is
right?
Looks good to me. The sigs seem to be within their validity interval,
but there doesn't appear a DLV record in dlv.isc.org, so I can't
validate. (Actually, I *could* snarf the ksk from the ANY query and
manually configure it as a trust anchor, but I am lazy. Moreover, that
won't tell us if something goes wrong if/when you publish a trust-anchor
DLV record or DS record, when NET becomes signed.)
Also I am not realy sure whether I need "dnssec-validation yes" in my
"options".
For authoritative service, you don't need it. Only if you're running a
validating nameserver do you need it, and it's 'yes' by default in
recent versions of BIND. You still need to configure a trust anchor (or
anchors) if you want to do validation.
michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
