Date: Thu, 11 Apr 2019 17:30:34 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: DNSSEC signatures Message-ID: <7f6f1240-97aa-3628-53ac-95290a98133b@FreeBSD.org> In-Reply-To: <4e016c879f783ffda0993eed80293863.squirrel@webmail.harte-lyne.ca> References: <4e016c879f783ffda0993eed80293863.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/04/2019 16:57, James B. Byrne via freebsd-questions wrote: > There are no other problems with these zones, yet. Does anyone know > what steps that I have not taken that are required to get automatic > inline zone resigning to work? You don't show which of your keys are ZSK's and which are KSK's -- the Zone Signing Keys are the ones that Bind will do all the automatic maintenance for, as those generally get rotated on a monthly basis and are used to sign the individual DNS RR's which probably change at an even faster rate. Key Signing Keys need manual update, since that is typically an anual task that involves having your zone registrar update the DS records for your domain synchronously with your performing a KSK rollover. If your KSK is out-of-date then you'll need to generate a new one and get it registered upstream ASAP, as the rest of the world (or at least the bits of it that pay attention to DNSSEC) will not be able to see your zone at all. Use dnsviz.net for debugging: it's invaluable when working on setting this up, and you should get in the habit of checking there at regular intervals to be sure there aren't any problems. I can heartily recommend Michael Lucas' "DNSSEC Mastery" as a slim volume that will explain what you need to do and why. See: https://mwl.io/nonfiction/networking#dnssec Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7f6f1240-97aa-3628-53ac-95290a98133b>