> Date: Sat, 20 Mar 2010 16:28:59 -0500 > From: groups <gro...@obsd.us> > Sender: bind-users-bounces+oberman=es....@lists.isc.org > > I should have been more specific.. What dnssec tools do the folks at ISC > recommend.. I am scheduled for a 5 day class in Arlington, VA in May 2010 > > Thx > Charles > > Greetings list.. > > I have recently assumed responsibility and did a > > complete rebuild of a Master DNS server running 9.6.1.P3. (will > > upgrade to 9.6.2 when SRPM is available) > > OS: CentOS 5.4 > > > > New to DNS administration but not new to Linux / UNIX.. > > > > I am looking at dnssec-tools for signing my 2 zones. > > Am curious if anyone on the list has used / is using > > this tool..
Signing is probably best handled by BIND 9.7 (DNSSEC for Humans). It handles re-signing and keyrolls in a manner that looks fairly manageable. (I'm not using BIND for signing, so this is based on the documentation.) For testing and management, I use dig, part of the BIND distribution, drill from nllabs.nl, a source of lots of fine DNS related stuff, and http://dnscheck.se. The latter is a test suite that includes tests of DNSSEC. Yo can install the tests on a local system or run them on the web site. I also urge you to get copy of NIST SP800-81r1, an excellent overview and how-to on DNS security that goes well beyond DNSSEC. It is at: http://csrc.nist.gov/publications/drafts/800-81-rev1/nist_draft_sp800-81r1-round2.pdf. It is still in draft, but is close to being finalized. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users