DNSSEC signatures

Matthew Seaman matthew at FreeBSD.org
Thu Apr 11 16:30:39 UTC 2019

On 11/04/2019 16:57, James B. Byrne via freebsd-questions wrote:
> There are no other problems with these zones, yet.  Does anyone know
> what steps that I have not taken that are required to get automatic
> inline zone resigning to work?

You don't show which of your keys are ZSK's and which are KSK's -- the 
Zone Signing Keys are the ones that Bind will do all the automatic 
maintenance for, as those generally get rotated on a monthly basis and 
are used to sign the individual DNS RR's which probably change at an 
even faster rate.

Key Signing Keys need manual update, since that is typically an anual 
task that involves having your zone registrar update the DS records for 
your domain synchronously with your performing a KSK rollover.

If your KSK is out-of-date then you'll need to generate a new one and 
get it registered upstream ASAP, as the rest of the world (or at least 
the bits of it that pay attention to DNSSEC) will not be able to see 
your zone at all.

Use dnsviz.net for debugging: it's invaluable when working on setting 
this up, and you should get in the habit of checking there at regular 
intervals to be sure there aren't any problems.

I can heartily recommend Michael Lucas' "DNSSEC Mastery" as a slim 
volume that will explain what you need to do and why.  See:




More information about the freebsd-questions mailing list