On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack < [email protected]> wrote:
> Hello DNSSEC Experts, > > I am ongoing to install 4 new Name Servers and increse my registrar and > hosting service... > > OK, I have tried to make my own 4 domains with 16 zones signed and it > took me one hour of my life! > > Since I have to re-sign the zones if something change it will give me > headaches up to the end of my life, so my queston is: > > Is there a command line tool (or a daemon) which > check for changes and re-sign the zone automated? > > Yes, and you really should use one. The two most important things with signed zones are that your signatures don't expire, and that the right DNSSEC RRs are included in the zone. So not only does it need to be resigned after changes (to include the proper DNSSEC RRs), but also periodically make sure signatures don't expire. Here are a few of the tools written for that purpose: http://dnssec-tools.org/ http://www.opendnssec.org/ http://www.hznet.de/dns/zkt/ http://zonetool.sourceforge.net/ > I can not believe, that you are signing each zone by hand! :-D > > Can an expert please check 'dig ANY tamay-dogan.net' whether this is > right? > > Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. Also I am not realy sure whether I need "dnssec-validation yes" in my > "options". > > No, this is only for resolvers that are validating answers, not authoritative servers that are serving signed zones. Of course, if you're using the server for both and you would like to enable validation (i.e., of other signed zones), then you'll need to enable validation and establish some trusted keys as anchors. Regards, Casey
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
