Posted on Sun, 05/06/2012 - 11:51
To enable dnssec for your dns entries, use the following commands.
Create first a Key Signing Key (KSK) and zone sign key (ZSK) by using the following commands:
dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 2048 -n ZONE example.net
dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE example.net
dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE example.net
Now you are ready to sign your DNS zone with the following command:
dnssec-signzone -l dlv.isc.org -o example.net -k Kexample.net.+005+kskid example.net.db Kexample.net.+005+zskid.key
The DS record dsset-example.net. should be published in the .net zone, to get a trust of anchor. The dns-signzone command has to be repeated every 30days or everytime the dns zone is changed.
Interesting links
http://www.dnssecmonitor.org/index.php
http://dnssec-debugger.verisignlabs.com
https://dlv.isc.org/about/using