There seems to be plenty of DNSSEC HOWTO’s on the Web but I’m struggling to find a compendium of steps I need to perform in order to secure my zone and trust others.<\/p>\n
Before doing anything, it’s worth creating a directory structure where each zonefile resides in its own directory using the structure: \/etc\/bind\/zonename\/zonefile
\nThe zonefile should be identical to the zonename until it’s signed, at which time zonefile becomes zonename.signed. Generated ZSK’s and KSK’s should reside within the directory of the zonename they relate to. Don’t forget to update named.conf.local to reflect changes in the name and location of the zonefiles.<\/p>\n
options {
\n dnssec-enable yes;
\n dnssec-validation yes;
\n};<\/p>\n
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename<\/em> ; Zone Signing Key dnssec-signzone zonefile<\/em> donuts zonefile.signed zonename<\/em><\/p>\n In named.conf.local: dig zonename SOA +dnssec +multiline<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" There seems to be plenty of DNSSEC HOWTO’s on the Web but I’m struggling to find a compendium of steps I need to perform in order to secure my zone and trust others. Securing a zone Before doing anything, it’s worth creating a directory structure where each zonefile resides in its own directory using the… Continue reading DNSSEC – HOWTO for idiots like me<\/span><\/a><\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-502","post","type-post","status-publish","format-standard","hentry","category-debian","entry"],"_links":{"self":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=502"}],"version-history":[{"count":9,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/502\/revisions"}],"predecessor-version":[{"id":511,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/502\/revisions\/511"}],"wp:attachment":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\ndnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename<\/em><\/p>\nAdd keys to zonefile<\/h2>\n
\n$INCLUDE Kzonename.+001+11111.key
\n; Key Signing Key
\n$INCLUDE Kzonename.+001+22222.key<\/p>\nSign the Zone<\/h2>\n
\nOutput is zonefile.signed<\/p>\nValidate the zonefile<\/h2>\n
Publish the signed zone<\/h2>\n
\nzone “zonename” {
\n file “\/etc\/bind\/zonename\/zonefile.signed”;
\n};<\/p>\nTesting<\/h2>\n