User Tools

Site Tools


bdnog11:netsec:bind-implementing-dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 13:59]
Muhammad Moinur Rahman [B.Signing the zone]
bdnog11:netsec:bind-implementing-dnssec [2020/01/13 15:12]
Muhammad Moinur Rahman [B.Signing the zone]
Line 37: Line 37:
 ==== B. Signing the zone ==== ==== B. Signing the zone ====
   - Generate the key pair in ''/​etc/​bind/​master''​ directory. This command generates the ZSK.<​code>​dnssec-keygen –a <​algorithm>​ –b <​keysize>​ -n ZONE <​groupXX></​code>​ example: <​code>​dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</​code>​The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<​code>​dnssec-keygen -n ZONE groupXX.net</​code>​This will generate two file. Now generate KSK. This command generates the KSK<​code>​dnssec-keygen -a <​algorithm>​ -b <​keysize>​ -f KSK -n ZONE <​groupXX></​code>​Or simply<​code>​dnssec-keygen -a RSASHA256 -b 1024 -f KSK  -n ZONE groupXX.net</​code>​   - Generate the key pair in ''/​etc/​bind/​master''​ directory. This command generates the ZSK.<​code>​dnssec-keygen –a <​algorithm>​ –b <​keysize>​ -n ZONE <​groupXX></​code>​ example: <​code>​dnssec-keygen -a RSASHA256 -b 1024 -n ZONE groupXX.net</​code>​The defaults are RSASHA1 for the algorithm, with 1024 bits for ZSK and 2048 bits for KSK. Since these are all defaults, we can just issue the command:<​code>​dnssec-keygen -n ZONE groupXX.net</​code>​This will generate two file. Now generate KSK. This command generates the KSK<​code>​dnssec-keygen -a <​algorithm>​ -b <​keysize>​ -f KSK -n ZONE <​groupXX></​code>​Or simply<​code>​dnssec-keygen -a RSASHA256 -b 1024 -f KSK  -n ZONE groupXX.net</​code>​
-  - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. To do the latter, simply add the lines below. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<​code>​+  - Include the public DNSKEYs in the zone file. You can either copy the entire file or reference to it using the $INCLUDE directive. Note that you are including only the public portion (.key) into the zone file. The private portion (.private) must be kept secure.<​code>​cat Kgroup*.key >> db.groupXX.net</​code>​OR<​code>​
 $INCLUDE “K<​groupXX>​.+005+<​id_of_zsk>​.key” $INCLUDE “K<​groupXX>​.+005+<​id_of_zsk>​.key”
 $INCLUDE “K<​groupXX>​.+005+<​id_of_ksk>​.key”</​code>​ $INCLUDE “K<​groupXX>​.+005+<​id_of_ksk>​.key”</​code>​
bdnog11/netsec/bind-implementing-dnssec.txt · Last modified: 2020/01/14 12:34 by Muhammad Moinur Rahman