Masud Akhtar Ahmed <m.ah...@londontelecom.net> wrote:
>
It's easier than that :-)
> a) Need to enable dnssec in /etc/named.conf configuration file.
> options { dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }
You don't need the dnssec-enable option: the default is "yes" and turning
it off will break things.
The DLV has been decommissioned, so you should omit the dnssec-lookaside
option.
On a resolver you should set `dnssec-validation auto` which enables RFC
5011 trust anchor rollover, initialized using the root key that is built
in to BIND. If you set it to `yes` then you must be prepared to do manual
trust anchor management, and you should ask yourself probing questions
why.
> # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE londontelecom.net
You should use ECDSAP256SHA256, or RSASHA256 with 2048 bit keys, same for
ZSK and KSK. 1024 is too small and 4096 is wasteful.
> d) To make the zones use DNSSEC,
Use `named`s built-in signer: `auto-dnssec maintain`. Don't use
`dnssec-signzone` unless you are an expert doing weird stuff.
The `inline-signing` option requires fewer changes to existing setups that
edit zone files; it isn't necessary if your zones are dynamic.
Remember to make your private keys readable by named, e.g.
# chgrp named K*.private
# chmog g+r K*.private
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
an equitable and peaceful international order
