search for: dsset

...t site suggested the use of dnssec-signzone after key creation ala a command like (the stuff that follows has been sanitized): > dnssec-signzone -3 `head -c 1000 /dev/random | sha1sum | cut -b 1-16` -N INCREMENT -o domain.tld -t domain.tld.zone After resigning with that command a file named dsset-domain.tld. is created which contains 2 digests. > cat dsset-domain.tld. domain.tld. IN DS 20716 7 1 04E3E6C87CD4190F74DD0371A14AD5CC42B71521 domain.tld. IN DS 20716 7 2 FA6D0EF0100855E5C85C6CD5A33590681DD9D7D9F6C773785C53E865 E02FF572 It is the keytag (20716) and the digests (hex fields) t...

...ssec-signzone after key creation ala a > command like (the stuff that follows has been sanitized): > > > dnssec-signzone -3 `head -c 1000 /dev/random | sha1sum | cut -b 1-16` > -N INCREMENT -o domain.tld -t domain.tld.zone > > After resigning with that command a file named dsset-domain.tld. is > created which contains 2 digests. > > > cat dsset-domain.tld. > domain.tld. IN DS 20716 7 1 04E3E6C87CD4190F74DD0371A14AD5CC42B71521 > domain.tld. IN DS 20716 7 2 > FA6D0EF0100855E5C85C6CD5A33590681DD9D7D9F6C773785C53E865 E02FF572 > > It is the keyta...

...t;/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor at xx" #delete old signed files rm -rf $ZONEDIR/*.signed #delete the old log rm -rf $LOG #read the zonefiles ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*') for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}") #remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed #Sign the zone cd $ZONEDIR dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONED...

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly

.../named/chroot/var/log/dnssec_resign.log" > MAILREC="monitor at xx" > > #delete old signed files > rm -rf $ZONEDIR/*.signed > > #delete the old log > rm -rf $LOG > > #read the zonefiles > ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*') > > for FILES in $ZONEFILES; do > #remove the .zone at the end > ZONE=$(echo "${FILES%.*}") Why not just: ZONE=${FILES%.*} > #remove the old signed zone > rm -rf $ZONEDIR/$ZONE.signed You deleted them all further up. > #Sign the zone >...

.../named/chroot/var/log/dnssec_resign.log" > MAILREC="monitor at xx" > > #delete old signed files > rm -rf $ZONEDIR/*.signed > > #delete the old log > rm -rf $LOG > > #read the zonefiles > ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*') > > for FILES in $ZONEFILES; do > #remove the .zone at the end > ZONE=$(echo "${FILES%.*}") Why not just: ZONE=${FILES%.*} > #remove the old signed zone > rm -rf $ZONEDIR/$ZONE.signed You deleted them all further up. > #Sign the zone >...