RE: How to validate DNSSEC signed record with dig?

Wed, 08 Feb 2012 08:26:28 -0800 

William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather 
than explicitly signing the zone with dnssec-signzone. I believe I recall that 
you are using bind 9.8, so this should work for you as well. Here's something 
you can try:

In your bind configuration use the following zone stanza:
zone "toto.com" {
        type master;
        file "/var/lib/bind/toto.com/toto.com.db";
        key-directory "/var/lib/bind/toto.com";
        auto-dnssec maintain;
};

You will probably want to add some access control to this as well.

Now in the directory /var/lib/bind/toto.com (or the directory of your choice as 
long as it is specified in the configuration above), place all of your *.key 
and *.private files. Also place your unsigned zone file toto.com.db with 
contents as follows (Omit the DNSSEC info you currently have at the bottom):

$ORIGIN .
$TTL 17200      ; 4 hours 46 minutes 40 seconds
toto.com.     IN SOA  ns10.boom.fr. postmaster.boom.com. (
                                2012020802 ; serial
                                216000     ; refresh (2 days 12 hours)
                                3600       ; retry (1 hour)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                172800     ; minimum (2 days)
                                )
                        NS      ns.boom.fr.
                        NS      ns2.boom.fr.
                        A       217.128.32.85
$ORIGIN toto.com.
*                       A       217.128.32.85

If you are running bind under a UID other than root, make sure all the files 
are readable, and that the zone file is writable, by that UID. Restart the bind 
service, and bind will sign your zone using the keys you have provided as long 
as their metadata is timed appropriately, i.e. Publish and Activate dates are 
in the past, and Inactive and Delete dates in the future. To see the metadata, 
execute 'dnssec-settime -p all your_key_file_name.private'. If you need to 
change the timing metadata, use dnssec-settime again. See the ARM for details. 
Caution: dnssec-setime will 'chmod 600' your private key files.

I have been successful with this approach, and hope it works well for you also. 
Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to