generate key pairs and some DS to share
mkdir ~/certs/ chmod 700 ~/certs/ cd ~/certs/ zone=DOMAIN.TLD ldns-keygen -h ldns-keygen -r /dev/urandom -k -a ECDSAP256SHA256 -b 256 $zone ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 -b 256 $zone KSK=/path/to ZSK=/path/to
sign the zone and do not forget to update the serial beforehand in case you got XFR friends
SALT=`head -c 512 /dev/urandom | sha1 | cut -b 1-16` #SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16` ldns-signzone -h ldns-signzone -n -t 10 -s $SALT /var/chroot/nsd/$zone.db $KSK $ZSK ll /var/chroot/nsd/$zone.db*
apply
vi /var/chroot/nsd/nsd.conf zonefile: "%s.db.signed" nsd-control reconfig
dig dnskey $zone @localhost +short dig $zone @localhost +short +dnssec
you need a validating resolver to validate the dnssec records and the entire chain of trust
resolver=x.x.x.x
provide KSK/257
and its DS record to your parent
cat $KSK.key cat $KSK.ds
check that the DS record has been populated
dig DS $zone dig +dnssec . @$resolver | grep '^;; flags' dig +dnssec su. @$resolver | grep '^;; flags' dig +dnssec os3.su. @$resolver | grep '^;; flags'
you are now ready to go for https://dnsviz.net/ and http://dnssec-debugger.verisignlabs.com/
https://pub.nethence.com/bin/daemons/sign.ksh.txt
and here is what sign.conf
should look like.
if [[ $zone = nethence.com ]]; then KSK=/root/certs/Knethence.com.+xxx+xxxxx ZSK=/root/certs/Knethence.com.+xxx+xxxxx elif [[ $zone = os3.su ]]; then KSK=/root/certs/Kos3.su.+xxx+xxxxx ZSK=/root/certs/Kos3.su.+xxx+xxxxx else echo UNSUPPORTED ZONE: $zone exit 1 fi
LDNS Documentation https://www.nlnetlabs.nl/documentation/ldns/
DNSSEC Analyzer https://dnssec-debugger.verisignlabs.com/os3.su
DNSViz http://dnsviz.net/d/os3.su/dnssec/