Hello, hope everyone is fine. So it seems that going to Bind version 9.16 was the right call as it simplifies DNSSEC a lot.
Nevertheless, I would like to clarify some things because our organization has a parent domain and I host my own e-mail servers. I know they had problems while implementing DNSSEC on the top domain, and some configurations had to be made to let subdomain e-mail servers to still work after DNSSEC. Following RedHat tutorial, all I had to do was add "dnssec-policy default;" into one of my zones for testing purposes. I'm not testing Reverse zones yet. After this, 3 files "Kmy.domain***" were created: ".key" ".private" ".state". Three files regarding my zone were also created: My.domain.signed And the following 2, which I'm not sure what their purpose is My.domain.jbk and my.domain.signed.jnl There are also "managed-keys.bind" and "managed-keys.bind.jnl" My questions: 1. Everytime I restart the service, it seems all these files are recreated. Does this mean that every time I make a change in the host zone, I need resend the public key to my top domain? 2. Do Parental Agents help with this? 3. Which format should I use when providing the key to the top level domain? dnssec-dsfromkey /var/named/Kexample.com.+013+61141.key or grep DNSKEY /var/named/Kexample.com.+013+61141.key Kind regards David Carvalho
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users