Compose Content
Authored By
Story Title
Enter Story or Feedback
 

DNSSEC Changes to Bind Config files

Author: DM47
3/6/2009 8:40:28 AM

To move from an unsigned zone to a DNSSEC signed zone, the
following changes are necessary to the named.conf (or $include files).

The signed zone, 'domain.net.signed', will be the new zone file that
should be present in named.conf. The prior file should be edited offline
and used as input to the DNSSEC zone signing process.


zone "domain.net" {
     type master;
     file "domain.net.signed";
};


Next, add the following command to the named.conf options
statements:


options {
  ...
  ...  
        dnssec-enable yes;
};


Next, add the following command to the named.conf options
statements:


options {
  ...
  ...  
        dnssec-enable yes;
};


Next, restart the bind service using the appropriate command or tool.

You are now ready to test the signatures.

NOTE: Statements like the following that were added to the unsigned zone
file:

$include Kfed.gov.+007+55791.key ; Active Key Signing Key
$include Kfed.gov.+007+08345.key ; Active Zone Signing Key
$include Kfed.gov.+007+44198.key ; Prepublished Zone Signing Key


will be removed by the dnssec-signzone command. Do not attempt to add
or change the contents of the ."signed" file. To update the zone, change the
unsigned file and resign the unsigned file.

comment on this