Masud Akhtar Ahmed <m.ahmed@londontelecom.net> wrote:
It's easier than that :-)
a) Need to enable dnssec in /etc/named.conf configuration file.
options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }
You don't need the dnssec-enable option: the default is "yes" and turning it off will break things. The DLV has been decommissioned, so you should omit the dnssec-lookaside option. On a resolver you should set `dnssec-validation auto` which enables RFC 5011 trust anchor rollover, initialized using the root key that is built in to BIND. If you set it to `yes` then you must be prepared to do manual trust anchor management, and you should ask yourself probing questions why.
# dnssec-keygen -a RSASHA1 -b 1024 -n ZONE londontelecom.net
You should use ECDSAP256SHA256, or RSASHA256 with 2048 bit keys, same for ZSK and KSK. 1024 is too small and 4096 is wasteful.
d) To make the zones use DNSSEC,
Use `named`s built-in signer: `auto-dnssec maintain`. Don't use `dnssec-signzone` unless you are an expert doing weird stuff. The `inline-signing` option requires fewer changes to existing setups that edit zone files; it isn't necessary if your zones are dynamic. Remember to make your private keys readable by named, e.g. # chgrp named K*.private # chmog g+r K*.private Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ an equitable and peaceful international order