search for: signzone

...> <snip> > It's not the keys that are the issue, but the RRSIG record that > contains a start and expiration time for the records. > > If you upload signed zone files to godaddy, make sure to resign once a > week or so so that the RRSIG gets updated. > > man ldns-signzone Okay so I misunderstood the message I was getting when I checked my DNSSEC setup via http://dnsviz.net/. What you are telling me is that all I had to do was re-sign the zone files but that it was not necessary to generate new keys. This point is definitely one that I missed. I too run my own a...

...t's not the keys that are the issue, but the RRSIG record that >> contains a start and expiration time for the records. >> >> If you upload signed zone files to godaddy, make sure to resign once a >> week or so so that the RRSIG gets updated. >> >> man ldns-signzone > > Okay so I misunderstood the message I was getting when I checked my > DNSSEC setup via http://dnsviz.net/. What you are telling me is that all > I had to do was re-sign the zone files but that it was not necessary to > generate new keys. This point is definitely one that I mi...

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly

...ng files will be updated as part of updating to 7.0-RELEASE-p3: /boot/kernel/kernel /boot/kernel/kernel.symbols /usr/bin/dig /usr/bin/host /usr/bin/nslookup /usr/bin/nsupdate /usr/include/netinet/tcp.h /usr/lib/libssh.a /usr/lib/libssh.so.4 /usr/lib/libssh_p.a /usr/sbin/dnssec-signzone /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/sshd /usr/src/sys/conf/newvers.sh /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/tcp_output.c While there is a new file for /usr/sbin/named, it isn't re...

...files ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*') for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}") #remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed #Sign the zone cd $ZONEDIR dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG #Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone echo $(date +"%T&qu...

...*}") Why not just: ZONE=${FILES%.*} > #remove the old signed zone > rm -rf $ZONEDIR/$ZONE.signed You deleted them all further up. > #Sign the zone > cd $ZONEDIR Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere. > dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 > -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG > > #Set the correct permissions > chown named.named $ZONEDIR/*.signed > chmod 755 $ZONEDIR/*.signed > sleep 5 > done > rm -rf $ZON...

...*}") Why not just: ZONE=${FILES%.*} > #remove the old signed zone > rm -rf $ZONEDIR/$ZONE.signed You deleted them all further up. > #Sign the zone > cd $ZONEDIR Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere. > dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone > $ZSKDIR/K$ZONE.*.key >> $LOG > > #Set the correct permissions > chown named.named $ZONEDIR/*.signed > chmod 755 $ZONEDIR/*.signed > sleep 5 > done > rm -rf $ZONE...

...eygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone It's not the keys that are the issue, but the RRSIG record that contains a start and expiration time for the records. If you upload signed zone files to godaddy, make sure to resign once a week or so so that the RRSIG gets updated. man ldns-signzone It has switches for setting the start and expiration date of signatures. By default I believe it uses current timestamp for start and +60 days for end, though it may be +30 days.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:20.bind Security Advisory The FreeBSD Project Topic: Denial of Service in named(8) Category: contrib Module: bind Announced: 2006-09-06