This is how to sign your domain with DNSsec on Gandi


Install bind9 to your Linux server. Add the following line to /etc/bind/named.conf

        dnssec-enable yes;

create a directory /etc/bind/dnssec/ and under it another one for each domain you want to sign

for example /etc/bind/dnssec/

Change directory to the one you just made and create the keys:

dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE

dnssec-keygen -f KSK -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE

(Remeber to correct the domain names to match your ones in all the commands)

List the key file names

ls /etc/named/dnssec/*.key

and add them to the end of the zone file /etc/named/pri/

$include /etc/named/dnssec/

$include /etc/named/dnssec/

Now you can sign the zone.

dnssec-signzone -r /dev/urandom -K /etc/named/dnssec/ -N unixtime -g -o /etc/named/pri/

Change the zone file definition in /etc/bind/named.conf

             file "pri/";

Restart bind and see that the slave DNS severs get the new signed zone file.

Sign to and update your DNSSEC key.

Select your domain, select [Manage DNSSEC],

select Flags: [257 - KSK] and Algorithm: [8 - RSA/SHA-256],

paste your Key Signing Key to the box and click [Add].

The correct key file is the one that has the numbers 257 3 8 on the first non-commented line.

You can find the Key Signing Key after the IN DNSKEY 257 3 8

until the end of the file.

The zone needs to be signed again within 30 days, so you should probably add the signing procedure to the crontab. If you modify the zone file, you will obviously also need to sign the zone again.