Thank you very much for your help i'm going to try it wright now. 2012/2/8 Spain, Dr. Jeffry A. <spa...@countryday.net>
> William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' > rather than explicitly signing the zone with dnssec-signzone. I believe I > recall that you are using bind 9.8, so this should work for you as well. > Here's something you can try: > > In your bind configuration use the following zone stanza: > zone "toto.com" { > type master; > file "/var/lib/bind/toto.com/toto.com.db"; > key-directory "/var/lib/bind/toto.com"; > auto-dnssec maintain; > }; > > You will probably want to add some access control to this as well. > > Now in the directory /var/lib/bind/toto.com (or the directory of your > choice as long as it is specified in the configuration above), place all of > your *.key and *.private files. Also place your unsigned zone file > toto.com.db with contents as follows (Omit the DNSSEC info you currently > have at the bottom): > > $ORIGIN . > $TTL 17200 ; 4 hours 46 minutes 40 seconds > toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( > 2012020802 ; serial > 216000 ; refresh (2 days 12 hours) > 3600 ; retry (1 hour) > 3600000 ; expire (5 weeks 6 days 16 > hours) > 172800 ; minimum (2 days) > ) > NS ns.boom.fr. > NS ns2.boom.fr. > A 217.128.32.85 > $ORIGIN toto.com. > * A 217.128.32.85 > > If you are running bind under a UID other than root, make sure all the > files are readable, and that the zone file is writable, by that UID. > Restart the bind service, and bind will sign your zone using the keys you > have provided as long as their metadata is timed appropriately, i.e. > Publish and Activate dates are in the past, and Inactive and Delete dates > in the future. To see the metadata, execute 'dnssec-settime -p all > your_key_file_name.private'. If you need to change the timing metadata, use > dnssec-settime again. See the ARM for details. Caution: dnssec-setime will > 'chmod 600' your private key files. > > I have been successful with this approach, and hope it works well for you > also. Jeff. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > > -- Cordialement. Thierry *SAMEN.*
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users