[dnssec-deployment] Automated Signing Tools
Lutz Donnerhacke
lutz at iks-jena.de
Wed Aug 15 11:05:17 EDT 2007
* Dan Mahoney, System Admin wrote:
> On Wed, 15 Aug 2007, Lutz Donnerhacke wrote:
>> $INCLUDE dnssec/zsk/Klan.iks-jena.de.+005+63095.key
>> $INCLUDE dnssec/ksk/Klan.iks-jena.de.+005+50901.key
>> $INCLUDE dnssec/sigs/lan.iks-jena.de
>
> If you do not have the DNSKEY records included in your zone, will
> dnssec-signzone automatically include them in the signed zone?
dnssec-signzone uses the same parser as bind itself. So the $INCLUDE
statements are the key to a clean setup.
> I.e. could this really be as simple as "chuck everything in a directory
> and let dnssec-signzone's smarts handle it"?
You need $INCLUDE and a approbriate reprocessing of the output of dnssec.
The only changing part are the sigs-files, so they are owned by a different
user on my systems and can be updated via cron.
A further minor detail is to direct dnssec-signzone to a distribution
directory, which contains the dsset files of delegated zones.
More information about the Dnssec-deployment
mailing list