Recently I wanted to sign a regular zone in BIND9.7. Google wasn’t very helpful so I thought I’d write up a little bit about it here.
My /etc/named.conf looks like this:
1 2 3 4 5 |
zone "myzone.com" IN { type master; file "/var/named/zones/myzone.com/myzone.com"; notify no; }; |
I want to keep my dnssec zones in a separate directory.
1 2 |
$ mkdir -p /var/named/signed/myzone.com/ $ cp /var/named/zones/myzone.com/myzone.com /var/named/signed/myzone.com/ |
Now I sign the zone.
1 2 3 4 5 6 7 8 |
$ cd /var/named/signed/myzone.com/ $ dnssec-keygen -r /dev/urandom myzone.com $ dnssec-keygen -r /dev/urandom -f KEY myzone.com $ dnssec-signzone -r /dev/urandom -S myzone.com $ ls myzone.com Kmyzone.com.+005+02971.key Kmyzone.com.+005+29262.private myzone.com.signed Kmyzone.com.+005+02971.private dsset-myzone.com. Kmyzone.com.+005+29262.key |
Finally I want to change the named.conf to the myzone.com.signed.
1 2 3 4 5 |
zone "myzone.com" IN { type master; file "/var/named/signed/myzone.com/myzone.com.signed"; notify no; }; |
Make sure that all the files are owned by user “named” and reload bind
1 2 |
$ chown -R named:named /var/named/signed $ /etc/init.d/named reload |