Hello, hope everyone is fine.
So it seems that going to Bind version 9.16 was the right call as it
simplifies DNSSEC a lot.
Nevertheless, I would like to clarify some things because our organization
has a parent domain and I host my own e-mail servers. I know they had
problems while implementing DNSSEC on the top domain, and some
configurations had to be made to let subdomain e-mail servers to still work
after DNSSEC.
Following RedHat tutorial, all I had to do was add "dnssec-policy default;"
into one of my zones for testing purposes. I'm not testing Reverse zones
yet.
After this, 3 files "Kmy.domain***" were created:
".key"
".private"
".state".
Three files regarding my zone were also created:
My.domain.signed
And the following 2, which I'm not sure what their purpose is
My.domain.jbk and my.domain.signed.jnl
There are also "managed-keys.bind" and "managed-keys.bind.jnl"
My questions:
1. Everytime I restart the service, it seems all these files are
recreated. Does this mean that every time I make a change in the host zone,
I need resend the public key to my top domain?
2. Do Parental Agents help with this?
3. Which format should I use when providing the key to the top level
domain?
dnssec-dsfromkey /var/named/Kexample.com.+013+61141.key
or
grep DNSKEY /var/named/Kexample.com.+013+61141.key
Kind regards
David Carvalho
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
