Dan's Thoughts Thinking somewhat carefully

3Jun/100

Converting a regular BIND ZONE to DNSSEC

Recently I wanted to sign a regular zone in BIND9.7. Google wasn't very helpful so I thought I'd write up a little bit about it here.

My /etc/named.conf looks like this:

zone "myzone.com" IN {
        type master;
        file "/var/named/zones/myzone.com/myzone.com";
        notify no;
};

I want to keep my dnssec zones in a separate directory.

# mkdir -p /var/named/signed/myzone.com/
# cp /var/named/zones/myzone.com/myzone.com /var/named/signed/myzone.com/

Now I sign the zone.

# cd /var/named/signed/myzone.com/
# dnssec-keygen -r /dev/urandom myzone.com
# dnssec-keygen -r /dev/urandom -f KEY myzone.com
# dnssec-signzone -r /dev/urandom -S myzone.com
# ls 
myzone.com         Kmyzone.com.+005+02971.key      Kmyzone.com.+005+29262.private
myzone.com.signed  Kmyzone.com.+005+02971.private
dsset-myzone.com.  Kmyzone.com.+005+29262.key

Finally I want to change the named.conf to the myzone.com.signed.

zone "myzone.com" IN {
        type master;
        file "/var/named/signed/myzone.com/myzone.com.signed";
        notify no;
};

Make sure that all the files are owned by user "named" and reload bind

# chown -R named:named /var/named/signed
# /etc/init.d/named reload
Filed under: dns, linux Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

Spam protection by WP Captcha-Free

No trackbacks yet.

«

Pages

Categories

Blogroll

Archive

Meta