Hi Daniel,
As far as from my experience, you’ll need to create a KSK and a ZSK first. But
you can also use script to generate these key pairs. However, it is (at least
with the few registrars I have experience) mandatory to enter your first DS
record manually, and then you could use CDS (if they support querying CDS) for
new keys.
A quick shell syntax for creating key pairs might be:
```bash
# domain=example.com
# root_keydir=/var/named/keys # use whatever you want as long as named has
proper permission to access
# create key directory
mkdir -p "${root_keydir}/${domain}" && cd "${root_keydir}/${domain}"
# KSK
dnssec-keygen -a <key_algorithm> -b <keysize> -f KSK $domain
dnssec-keygen-a <key_algorithm> -b <keysize> $domain
# what I usually do also (to correct ownership), don't use this kind of
wildcard if you keep everything in one dir:
crown named:named ./K*
# if not already done add config to your config file, with key-directory
specified
# you can also store the DS record to file or send them via API but to retrieve
them
dnssec-dsfromkey <your_newly_created_key_file>
```
Met vriendelijke groet / Best regards,
Jiaming Zhang
Yixi Meta
Email: [email protected]
Website: yiximeta.com
De informatie in dit bericht is uitsluitend bestemd voor de geadresseerde. Aan
dit bericht en de bijlagen kunnen geen rechten worden ontleend. Heeft u deze
e-mail onbedoeld ontvangen? Dan verzoeken wij u het te vernietigen en de
afzender te informeren. Openbaar maken, kopiëren en verspreiden van deze e-mail
of informatie uit deze e-mail is alleen toegestaan met voorafgaande
schriftelijke toestemming van de afzender. Het Yixi Meta staat geregistreerd
bij de Kamer van Koophandel in het handelsregister onder nummer 85744115.
The content of this message is intended solely for the addressee. No rights can
be derived from this message or its attachments. If you are not the intended
recipient, we kindly request you to delete the message and inform the sender.
It is strictly prohibited to disclose, copy or distribute this email or the
information inside it, without a written consent from the sender. Yixi Meta is
registered with the Dutch Chamber of Commerce trade register with number
85744115.
________________________________
Van: bind-users <[email protected]> namens Daniel A. Rodriguez
via bind-users <[email protected]>
Verzonden: Thursday, June 22, 2023 7:47:55 PM
Aan: [email protected] <[email protected]>
Onderwerp: DNSSEC doubt
I wonder if it's mandatory make a manual deployment prior to an automated setup.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
