Re: Adding a new domain with DNSSEC
"@lbutlr" writes: > On 2022 Apr 10, at 05:37, Bjørn Mork wrote: >> "@lbutlr" writes: >> >>> # dnssec-keygen -a 13 example,com >>> # dnssec-keygen -f KSK -a 13 example,com >>> >>> Add $INLCUDE to the zone file for each of these 4 keys. >> >> 4? You've generated 2 key pairs. There should be only 2 public keys >> included in the zone. > > Ah, right, of course. I knew it was something dumb. > >> But I can recommend the automated zone maintenance instead, either using >> the modern "dnssec-policy": > > I do have that set, but getting the domain setup in the first place seemed to > still be necessary. Should not be required. Keys will be generated and published according to the policy, and the zone will be automatically signed. See: https://kb.isc.org/docs/dnssec-key-and-signing-policy > Now to find the DS key... If you use the default policy then you'll have a CDS record for your upstream. Or you can run dnssec-dsfromkey Kexample.com.+013+*.key (replacing the input with your public KSK file, of course) Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding a new domain with DNSSEC
On 2022 Apr 10, at 05:37, Bjørn Mork wrote: > "@lbutlr" writes: > >> # dnssec-keygen -a 13 example,com >> # dnssec-keygen -f KSK -a 13 example,com >> >> Add $INLCUDE to the zone file for each of these 4 keys. > > 4? You've generated 2 key pairs. There should be only 2 public keys > included in the zone. Ah, right, of course. I knew it was something dumb. > But I can recommend the automated zone maintenance instead, either using > the modern "dnssec-policy": I do have that set, but getting the domain setup in the first place seemed to still be necessary. Now to find the DS key... -- "He has never been known to use a word that might send a reader to the dictionary." - William Faulkner (about Ernest Hemingway). -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding a new domain with DNSSEC
Are you missing a left paren before "1-16”?
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Medium: https://ekgermann.medium.com
Re: Adding a new domain with DNSSEC
"@lbutlr" writes: > # dnssec-keygen -a 13 example,com > # dnssec-keygen -f KSK -a 13 example,com > > Add $INLCUDE to the zone file for each of these 4 keys. 4? You've generated 2 key pairs. There should be only 2 public keys included in the zone. > dnssec-signzone: warning: keys/Kexample.com.+013+55923.private:1: unknown RR > type 'v1.3' Right. Don't publish anything named "private" in the zone file... But I can recommend the automated zone maintenance instead, either using the modern "dnssec-policy": https://bind9.readthedocs.io/en/latest/dnssec-guide.html#enabling-automated-dnssec-zone-maintenance-and-key-generation or the older "auto-dnssec maintain". There's no need for any of the manual steps you are doing. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding a new domain with DNSSEC
I have an several domains setup in bind, all with DNSSEC implemented, and am trying to add a new domain, and seem to have missed a step. # dnssec-keygen -a 13 example,com # dnssec-keygen -f KSK -a 13 example,com Add $INLCUDE to the zone file for each of these 4 keys. # dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -o example.com -t example.com dnssec-signzone: warning: keys/Kexample.com.+013+55923.private:1: unknown RR type 'v1.3' dnssec-signzone: fatal: failed loading zone from 'example.com': unknown class/type -- "Are you pondering what I'm pondering?" "I think so, Brain! But ruby-studded stockingswould be mighty uncomfortable wouldn't they?" -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
