You will need the dnssec-keygen tool for creating your keys and then apply the zone modifications in the conf file for knot name-server daemon.
1st let 's look at signing zone keys for my <blog.hyperfeed.net zone>.
To create our zone signing keys, the dnssec-keygen tool will assist with this requirement.
Okay what we did was to create 2 key-pairs for the zone and the KeySigningKey ( AKA KSK ). Dnssec-keygen will label these as key and private and prepend the uppercase "K" to the name. I used a 2048but key for both key-pairs.
To learn more about KSK keys, look here;
https://www.dnssec-tools.org/wiki/index.php/KSK
Now moving on to the knot configuration file
You will need to craft the correct entries for the zone and specify the key dir. I personally like to create the keydir to be ./key/<name-of-zone>
Next we transfer the keys to this key serving directory since my zone signing utility is on another host. These key-pairs should be kept secret and secured for the private key
Now the fun begin, we will modify our knotd conf file for signing the zone
note: Just like with bind , we can enable per zone-signing the knotc command will validate that dnssec is enable for the zone
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment