This is how to sign your domain with DNSsec on Gandi

 

Install bind9 to your Linux server. Add the following line to /etc/bind/named.conf

        dnssec-enable yes;

create a directory /etc/bind/dnssec/ and under it another one for each domain you want to sign

for example /etc/bind/dnssec/73.fi/

Change directory to the one you just made and create the keys:

dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE 73.fi

dnssec-keygen -f KSK -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE 73.fi

(Remeber to correct the domain names to match your ones in all the commands)

List the key file names

ls /etc/named/dnssec/73.fi/*.key

and add them to the end of the zone file /etc/named/pri/73.zone

$include /etc/named/dnssec/73.fi/K73.fi.+005+12345.key

$include /etc/named/dnssec/73.fi/K73.fi.+005+23456.key

Now you can sign the zone.

dnssec-signzone -r /dev/urandom -K /etc/named/dnssec/73.fi -N unixtime -g -o 73.fi /etc/named/pri/73.zone

Change the zone file definition in /etc/bind/named.conf

             file "pri/73.zone.signed";

Restart bind and see that the slave DNS severs get the new signed zone file.

Sign to gandi.net and update your DNSSEC key.

Select your domain, select [Manage DNSSEC],

select Flags: [257 - KSK] and Algorithm: [8 - RSA/SHA-256],

paste your Key Signing Key to the box and click [Add].

The correct key file is the one that has the numbers 257 3 8 on the first non-commented line.

You can find the Key Signing Key after the

73.fi. IN DNSKEY 257 3 8

until the end of the file.

The zone needs to be signed again within 30 days, so you should probably add the signing procedure to the crontab. If you modify the zone file, you will obviously also need to sign the zone again.

 

RootBear@IRCnet

 

Creative Commons -license
This is how to sign your domain with DNSsec on Gandi made by RootBear @ IRCnet under license Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0).
Visitors: 2345