Signing a DNS ISC bind / named zone for DNSSEC

So, recently I had to update some stuff in my zone and I kept wondering why they weren’t picked up on the internet.
I just remembered that I have DNSSEC enabled. So I need to do something .. not just change the .zone file.

The line needed to regenerate the .signed zone based on my clear text zone is:

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o -t

I should probably get the time to make a post on how to actually generate the signing keys and stuff.
Basically, I have my KSK ( Key signing key ) and ZSK ( Zone signing key ) public and private key in the zone dir with the right permissions. The above overwrites the old signed zone.

A nice tutorial I’ve used is How To Setup DNSSEC on an Authoritative BIND DNS Server

Leave a Reply

Your email address will not be published. Required fields are marked *