Comments on Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10
Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 This guide explains how you can configure DNSSEC on BIND9 (version 9.7.3 that comes with Debian Squeeze/Ubuntu 11.10) on Debian Squeeze and Ubuntu 11.10. It covers how to enable DNSSEC on authoritative nameservers (master and slave) and on resolving nameservers, creation of keys (KSKs and ZSKs), signing of zones, key rolling with rollerd, zone file checking with donuts, creation of trust anchors, using DLV (DNSSEC look-aside validation), and getting your DS records into the parent's zone.
6 Comment(s)
Comments
Seems to me as if the IP addresses for NS1 and NS2 are backwards.
In the example NS1 has 192.168.0.100 as master.
NS2 has 192.168.0.101 as slave.
Later on the master shows as 192.168.0.101 and the slave is 192.168.0.100.
Actually no big deal, however someone that stricly follows the howto will possibly wind up in the dark.
Cheers
Setting up DNSSEC on my Nameservers was actually a breeze with this excellent tutorial. Thanks a million.
The example file: pri.example.org sometimes shows example.com and other times example.org. Which is it? This is so confusing. Where's the example sec.example.org file?
nice howto. I tried it on an server with ispconfig3. Unfortunately ISPconfig delets some same manual configs when any dns zone file was changed. Any ideas to solve that?
After the first run of zonesigner, running donuts reported an error "bad NSEC data, line 307" (the line number depends on the data in the zone). This appears to be a known problem described at https://bugs.launchpad.net/ubuntu/+source/dnssec-tools/+bug/1215093. It can be resolved by adding an extra parameter to the zonesigner command: -szopts "-O full". The example command from the tutorial becomes:
zonesigner -szopts "-O full" -genkeys -usensec3 -zone example.org pri.example.org
Unfortunately, I then ran into a further known problem with donuts, which gives a fatal error: Unknown method 'first'. This is described at http://www.dnssec-tools.org/pipermail/users/2014-August/000194.html. As I experienced this on Raspbian Jessie, it is not certain that the problem has been fixed in Debian 8. Or it could be that Raspbian is behind.
zonesigner -genkeys -usensec3 -zone example.org pri.example.org
Command does not work for me, please help