On 2021-05-13 09:41, Software Info wrote:
Wow. Thanks so much for all the responses. Really appreciate it. They made me truly realize that a lot on the info on the net may be either incomplete or just old. I understand a bit better now. I added the line inline-signing yes;
inline-signing is not required; you already had "update-policy local;" which gives you a key to use with nsupdate(8)'s -l option. This is a perfectly valid way to maintain zone data, and in my opinion much better than editing zone files and inline-signing. You have taken a step backwards. This has the overview of both DNSSEC and dynamic zones: http://ftp.isc.org/isc/bind/cur/9.16/doc/arm/html/advanced.html See section "5.2. Dynamic Update". Also see the "auto-dnssec maintain;" option described there. With a dynamic zone and nsupdate, inline-signing is completely unnecessary. For those who insist on editing zone files rather than learning how to use nsupdate, I still recommend "update-policy local;" see Tony Finch's post where he mentions his nsdiff tool.
as was suggested and reloaded bind. I am now seeing the .signed, .jbk and .jnl files. The zone also replicates to the slaves and I am seeing the NSEC, RRSIG and DNSKEY entries in the zone files on the slaves. I also checked with the yogaDNS client and it had no problems identifying the DNSSEC server. So I would imagine at this point it is working. I believe as was said too I need now to register the DS with the registrar? Hopefully that should be it if I am not missing anything?
Yes, submitting the DS to the registrar is always the last step to take in signing. It's best to be sure the signing is being done before you tell the world to accept only signed data from your zone. We see that a lot, BTW. :)
Thanks so much again for the very informative replies.
And a highly opinionated one? :) I'd also recommend the DNSSEC guide, https://bind9.readthedocs.io/en/latest/dnssec-guide.html This is all on one page; or, the same document broken down in sections can be seen here: http://dnsinstitute.com/documentation/dnssec-guide/dnssec-guide.html _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
