Re: how to proper include DS record on key dnssec
Dnia 2011-01-14 03:11 fakessh @ napisał(a): hello bind network and hello dnssec network admin. thank you for answered, I think I found a solution to my problem. $INCLUDE directive is that I have to handle example: $INCLUDE /var/named/keys/dsset-fakessh.eu. fakessh.eu YOU don't do it. This goes into the PARENT zone. Unless you manage the parent zone as well, but even in that case it goes into a different file. $INCLUDE /var/named/keys/keyset-fakessh.eu. fakessh.eu This is OK, although when you have an $INCLUDE and do dnssiec-signzone it automatically resolves it, so generated signed zone does not habe $INCLUDE and perform a complete resignatures area zone this should enable me to have the flag DS and DS sign, DLV and DLV sign Err, both the DS (as stated before) and DLV go into different zones. To sum up: DNSKEY goes to fakessh.eu DS goes to .eu, and I don't have any idea if registrars already permit it DLV goes to dlv.isc.net or any other dlv repository you want. That's three different zones, and three different signers. in my area zone its right thanks for your return many return are welcome Le jeudi 13 janvier 2011 à 12:36 -0500, Paul Wouters a écrit : On Thu, 13 Jan 2011, fakessh @ wrote: I correctly configure my server centos dnssec on with as a representative of encryptions dlv isc. my question is relevant and was already asked but I have not found the complete answer on google. my question is how to include the DS record in the Keys. my keys are in a separate folder. the DS record is already generated in The DS record goes into the parent zone, not the zone itself. I also wonder the utility of this good record given that my signatures are marked as good on dlv Use any public DNS server with dlv configured. eg nssec.xelerance.net: dig +dnssec -t ds yourzone @nssec.xelerance.net what file in the include directive must be accomplished and realize how well inclusion of the DS record (what should be the proper syntax on how to declare dlv isc) how to re-sign after the keys You give your DS via http://dlv.isc.org/ Paul -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to proper include DS record on key dnssec
hello bind network and hello dnssec network admin. thank you for answered, I think I found a solution to my problem. $INCLUDE directive is that I have to handle example: $INCLUDE /var/named/keys/dsset-fakessh.eu. fakessh.eu $INCLUDE /var/named/keys/keyset-fakessh.eu. fakessh.eu and perform a complete resignatures area zone this should enable me to have the flag DS and DS sign, DLV and DLV sign in my area zone its right thanks for your return many return are welcome Le jeudi 13 janvier 2011 à 12:36 -0500, Paul Wouters a écrit : On Thu, 13 Jan 2011, fakessh @ wrote: I correctly configure my server centos dnssec on with as a representative of encryptions dlv isc. my question is relevant and was already asked but I have not found the complete answer on google. my question is how to include the DS record in the Keys. my keys are in a separate folder. the DS record is already generated in The DS record goes into the parent zone, not the zone itself. I also wonder the utility of this good record given that my signatures are marked as good on dlv Use any public DNS server with dlv configured. eg nssec.xelerance.net: dig +dnssec -t ds yourzone @nssec.xelerance.net what file in the include directive must be accomplished and realize how well inclusion of the DS record (what should be the proper syntax on how to declare dlv isc) how to re-sign after the keys You give your DS via http://dlv.isc.org/ Paul -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to proper include DS record on key dnssec
hello bind network hello dnssec network admin. I correctly configure my server centos dnssec on with as a representative of encryptions dlv isc. my question is relevant and was already asked but I have not found the complete answer on google. my question is how to include the DS record in the Keys. my keys are in a separate folder. the DS record is already generated in I also wonder the utility of this good record given that my signatures are marked as good on dlv I read that a single include file in the keys was the right approach but I would like to have more precision on the proper conduct of this operation what file in the include directive must be accomplished and realize how well inclusion of the DS record (what should be the proper syntax on how to declare dlv isc) how to re-sign after the keys this is it the response on google for implement DS record with dnssec http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2010-08/msg00054.html thanks for many returns who are welcome this is a relevant on my config of keys ~]# cat /var/named/dsset-fakessh.eu. fakessh.eu. IN DS 47103 3 1 CFEA04C5B91**7F2DF5225E357 fakessh.eu. IN DS 47103 3 2 68096942650C1DD89D5**09F4F1CD348 4D8ED07B ~]# ls -al /var/named/keys total 8 drwxrwxr-x 2 root named 4096 jan 1 15:41 . drwxrwx--- 7 root named 4096 jan 1 15:34 .. lrwxrwxrwx 1 root named 28 jan 1 15:41 dsset-fakessh.eu. - /var/named/dsset-fakessh.eu. lrwxrwxrwx 1 root named 34 jan 1 15:41 dsset-nicolaspichot.fr. - /var/named/dsset-nicolaspichot.fr. lrwxrwxrwx 1 root named 33 jan 1 15:41 dsset-renelacroute.fr. - /var/named/dsset-renelacroute.fr. lrwxrwxrwx 1 root named 29 jan 1 15:41 keyset-fakessh.eu. - /var/named/keyset-fakessh.eu. lrwxrwxrwx 1 root named 35 jan 1 15:41 keyset-nicolaspichot.fr. - /var/named/keyset-nicolaspichot.fr. lrwxrwxrwx 1 root named 34 jan 1 15:41 keyset-renelacroute.fr. - /var/named/keyset-renelacroute.fr. lrwxrwxrwx 1 root named 37 jan 1 15:41 Kfakessh.eu.+003+47103.key - /var/named/Kfakessh.eu.+003+47103.key lrwxrwxrwx 1 root named 41 jan 1 15:41 Kfakessh.eu.+003+47103.private - /var/named/Kfakessh.eu.+003+47103.private lrwxrwxrwx 1 root named 37 jan 1 15:41 Kfakessh.eu.+003+59773.key - /var/named/Kfakessh.eu.+003+59773.key lrwxrwxrwx 1 root named 41 jan 1 15:41 Kfakessh.eu.+003+59773.private - /var/named/Kfakessh.eu.+003+59773.private lrwxrwxrwx 1 root named 43 jan 1 15:41 Knicolaspichot.fr.+003 +02473.key - /var/named/Knicolaspichot.fr.+003+02473.key lrwxrwxrwx 1 root named 47 jan 1 15:41 Knicolaspichot.fr.+003 +02473.private - /var/named/Knicolaspichot.fr.+003+02473.private lrwxrwxrwx 1 root named 43 jan 1 15:41 Knicolaspichot.fr.+003 +07246.key - /var/named/Knicolaspichot.fr.+003+07246.key lrwxrwxrwx 1 root named 47 jan 1 15:41 Knicolaspichot.fr.+003 +07246.private - /var/named/Knicolaspichot.fr.+003+07246.private lrwxrwxrwx 1 root named 42 jan 1 15:41 Krenelacroute.fr.+003 +01827.key - /var/named/Krenelacroute.fr.+003+01827.key lrwxrwxrwx 1 root named 46 jan 1 15:41 Krenelacroute.fr.+003 +01827.private - /var/named/Krenelacroute.fr.+003+01827.private lrwxrwxrwx 1 root named 42 jan 1 15:41 Krenelacroute.fr.+003 +57237.key - /var/named/Krenelacroute.fr.+003+57237.key lrwxrwxrwx 1 root named 46 jan 1 15:41 Krenelacroute.fr.+003 +57237.private - /var/named/Krenelacroute.fr.+003+57237.private -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
