So, recently I had to update some stuff in my zone and I kept wondering why they weren’t picked up on the internet.
I just remembered that I have DNSSEC enabled. So I need to do something .. not just change the .zone file.
The line needed to regenerate the .signed zone based on my clear text zone is:
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o asandu.eu -t asandu.eu.zone
I should probably get the time to make a post on how to actually generate the signing keys and stuff.
Basically, I have my KSK ( Key signing key ) and ZSK ( Zone signing key ) public and private key in the zone dir with the right permissions. The above overwrites the old signed zone.
A nice tutorial I’ve used is How To Setup DNSSEC on an Authoritative BIND DNS Server