A Beginner's Guide to DNSSEC with BIND 9.
Well done! A few comments, if I may:
1. in your zone stanzas you use the term "master" (type: master, ... masters
{}). BIND has been updated already a while ago to support the term primary, e.g. `type
primary;' and `primaries {};' (likewise for 'secondary'). It might be a good time to
switch to the new nomenclature, particularly as you rightly call the primary primary and
secondary a secondary :)
2. I tend to use `rndc reconfig' for re-configuration (after adding a new zone,
say) rather than `reload', which I used when I wish named to load a modified
primary zone.
3. on your primary you have an allow-transfer{} ACL for your secondary using its IP address. You might wish to look into using TSIG for that.
4. note that `inline-signing' might go away and be replaced by dnssec-policy
which you may wish to look into at some point.
5. I'm not familiar with the paths used by your Ubuntu distro, but the command
at #6 appears to be incorrect:
sudo ./etc/bind/named-checkconf named.conf.local
named-checkconf(8) is likely in /usr/sbin and it will use a compiled-in
default configuration file.
6. just as a FYI: instead of "and if you quickly type tail var/log/syslog" I
typically `tail -f' (follow) the log file in a second window/pane/console or even in the
same session in order to have logs show up immediately. :)
7. Instead of querying for the SOA (dig ... SOA +dnssec), I like querying for
the DNSKEY RRset so that I see the key tags (key IDs): `dig @::1 example.com
DNSKEY +dnssec +multi' (the +multi flag shows me the key types and tags, or use
+nocrypto to omit the base64-encdoded stuff)
8. in the section on externally validating, I'd love to recommend dnsviz.net: I
cannot think of another testing site which I would *pay* to use. These chaps
are grand!
Feel free to talk to me off-list if I've not made sense.
Best regards,
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users