Recently I wanted to sign a regular zone in BIND9.7. Google wasn’t very helpful so I thought I’d write up a
little bit about it here. My /etc/named.conf looks like this:
zone "myzone.com" IN {
type master;
file "/var/named/zones/myzone.com/myzone.com";
notify no;
};
I want to keep my dnssec zones in a separate directory.
$ mkdir -p /var/named/signed/myzone.com/
$ cp /var/named/zones/myzone.com/myzone.com /var/named/signed/myzone.com/
Now I sign the zone.
$ cd /var/named/signed/myzone.com/
$ dnssec-keygen -r /dev/urandom myzone.com
$ dnssec-keygen -r /dev/urandom -f KEY myzone.com
$ dnssec-signzone -r /dev/urandom -S myzone.com
$ ls
myzone.com Kmyzone.com.+005+02971.key Kmyzone.com.+005+29262.private
myzone.com.signed Kmyzone.com.+005+02971.private
dsset-myzone.com. Kmyzone.com.+005+29262.key
Finally I want to change the named.conf to the myzone.com.signed.
zone "myzone.com" IN {
type master;
file "/var/named/signed/myzone.com/myzone.com.signed";
notify no;
};
Make sure that all the files are owned by user “named” and reload bind
$ chown -R named:named /var/named/signed
$ /etc/init.d/named reload