Re: DNSSEC doubt

[Jiaming Zhang]

Hi Daniel,

As far as from my experience, you’ll need to create a KSK and a ZSK first. But 
you can also use script to generate these key pairs. However, it is (at least 
with the few registrars I have experience) mandatory to enter your first DS 
record manually, and then you could use CDS (if they support querying CDS) for 
new keys.

A quick shell syntax for creating key pairs might be:
```bash
# domain=example.com
# root_keydir=/var/named/keys # use whatever you want as long as named has 
proper permission to access
# create key directory
mkdir -p "${root_keydir}/${domain}" && cd "${root_keydir}/${domain}"
# KSK
dnssec-keygen -a <key_algorithm> -b <keysize> -f KSK $domain
dnssec-keygen-a <key_algorithm> -b <keysize> $domain
# what I usually do also (to correct ownership), don't use this kind of 
wildcard if you keep everything in one dir:
crown named:named ./K*
# if not already done add config to your config file, with key-directory​ 
specified
# you can also store the DS record to file or send them via API but to retrieve 
them
dnssec-dsfromkey <your_newly_created_key_file>
```

Met vriendelijke groet / Best regards,
Jiaming Zhang

Yixi Meta
Email: j.zh...@yiximeta.com
Website: yiximeta.com

De informatie in dit bericht is uitsluitend bestemd voor de geadresseerde. Aan 
dit bericht en de bijlagen kunnen geen rechten worden ontleend. Heeft u deze 
e-mail onbedoeld ontvangen? Dan verzoeken wij u het te vernietigen en de 
afzender te informeren. Openbaar maken, kopiëren en verspreiden van deze e-mail 
of informatie uit deze e-mail is alleen toegestaan met voorafgaande 
schriftelijke toestemming van de afzender. Het Yixi Meta staat geregistreerd 
bij de Kamer van Koophandel in het handelsregister onder nummer 85744115.

The content of this message is intended solely for the addressee. No rights can 
be derived from this message or its attachments. If you are not the intended 
recipient, we kindly request you to delete the message and inform the sender. 
It is strictly prohibited to disclose, copy or distribute this email or the 
information inside it, without a written consent from the sender. Yixi Meta is 
registered with the Dutch Chamber of Commerce trade register with number 
85744115.
________________________________
Van: bind-users <bind-users-boun...@lists.isc.org> namens Daniel A. Rodriguez 
via bind-users <bind-users@lists.isc.org>
Verzonden: Thursday, June 22, 2023 7:47:55 PM
Aan: bind-users@lists.isc.org <bind-users@lists.isc.org>
Onderwerp: DNSSEC doubt

I wonder if it's mandatory make a manual deployment prior to an automated setup.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users