Masud Akhtar Ahmed <m.ah...@londontelecom.net> wrote: > It's easier than that :-)
> a) Need to enable dnssec in /etc/named.conf configuration file. > options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; } You don't need the dnssec-enable option: the default is "yes" and turning it off will break things. The DLV has been decommissioned, so you should omit the dnssec-lookaside option. On a resolver you should set `dnssec-validation auto` which enables RFC 5011 trust anchor rollover, initialized using the root key that is built in to BIND. If you set it to `yes` then you must be prepared to do manual trust anchor management, and you should ask yourself probing questions why. > # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE londontelecom.net You should use ECDSAP256SHA256, or RSASHA256 with 2048 bit keys, same for ZSK and KSK. 1024 is too small and 4096 is wasteful. > d) To make the zones use DNSSEC, Use `named`s built-in signer: `auto-dnssec maintain`. Don't use `dnssec-signzone` unless you are an expert doing weird stuff. The `inline-signing` option requires fewer changes to existing setups that edit zone files; it isn't necessary if your zones are dynamic. Remember to make your private keys readable by named, e.g. # chgrp named K*.private # chmog g+r K*.private Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ an equitable and peaceful international order