Every time I add a new domain, I wade through the process of how to generate the required keys and how to get the records that need to be published at my upstream registrar. Hopefully this will help in future!<\/p>\n\n\n\n
First off, some assumptions:<\/p>\n\n\n\n
cd \/etc\/bind\/zones<\/code>
dnssec-keygen -a RSASHA256 -b 2048 -3 newzone.org<\/code>
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk newzone.org<\/code><\/pre>\n\n\n\nIf your TLD supports it, you should probably use ED25519 (type 15) instead of RSASHA256 (type 8). At the time of writing, there isn’t much support for ED25519.<\/p>\n\n\n\n
Edit the zone file<\/h4>\n\n\n\n
Insert the following new lines into the zone configuration:<\/p>\n\n\n\n
auto-dnssec maintain;<\/code>\ninline-signing yes;<\/code><\/pre>\n\n\n\nReload bind<\/h4>\n\n\n\n
On my system, the systemd service is called named. Yours may differ.
systemctl reload named.service<\/code><\/p>\n\n\n\nSign the zone<\/h4>\n\n\n\n
rndc signing -nsec3param 1 0 10 deadbeef newzone.org<\/code>
(Where deadbeef is a random 4 byte hex salt)
You can generate the random salt with:<\/p>\n\n\n\nhexdump -n 4 -e '4\/4 \"%08X\" 1 \"\\n\"' \/dev\/random<\/code><\/pre>\n\n\n\nGrab the dsset record for your registrar<\/h4>\n\n\n\ndig @127.0.0.1 dnskey newzone.org | dnssec-dsfromkey -f - newzone.org<\/code><\/pre>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Every time I add a new domain, I wade through the process of how to generate the required keys and how to get the records that need to be published at my upstream registrar. Hopefully this will help in future! First off, some assumptions: Bind is installed and running Zones are in \/etc\/bind\/zones Keys are… Continue reading DNSSEC signing a zone<\/span><\/a><\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[40],"class_list":["post-754","post","type-post","status-publish","format-standard","hentry","category-general","tag-dnssec","entry"],"_links":{"self":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=754"}],"version-history":[{"count":4,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/754\/revisions"}],"predecessor-version":[{"id":758,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/754\/revisions\/758"}],"wp:attachment":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}