We provide managed hosting and co-locating services out of Amsterdam.
Services — Projects — Mirrors — Gists — Git / Code — Contact us
Check DNSKEY with
dig DNSKEY +multiline +norec @ns <domain>
Zone Signing Key (ZSK)
$ ldns-keygen -a RSASHA256 -b 1024 <domain>
Key Signing Key (KSK)
$ ldns-keygen -k -a RSASHA256 -b 1024 <domain>
Sign the zone
$ ldns-signzone <zone> <KSK> <ZSK>
Sign the zone
#!/bin/sh
DOMAIN=$1
ZONES=/var/nsd/zones/master
ZONE=${ZONES}/${DOMAIN}
if [[ ! -f "${ZONE}" ]]; then
echo "Unable to locate zone ${ZONE}"
exit 1
fi
echo -n "Key signing key for ${DOMAIN}: "
KSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -nr | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $KSK
echo -n "Zone signing key for ${DOMAIN}: "
ZSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -n | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $ZSK
echo "Signing zone ${ZONE}"
ldns-signzone -f ${ZONE}.signed ${ZONE} $KSK $ZSK
Auto-sign the zone (cron)
#!/bin/sh
DOMAIN=$1
ZONES=/var/nsd/zones/master
ZONE=${ZONES}/${DOMAIN}
if [[ ! -f "${ZONE}" ]]; then
echo "Unable to locate zone ${ZONE}"
exit 1
fi
echo "Convert zone ${DOMAIN} to ${DOMAIN}.tosign"
ldns-read-zone -S YYYYMMDDxx ${ZONE} > ${ZONE}.tosign
echo -n "Key signing key for ${DOMAIN}: "
KSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -nr | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $KSK
echo -n "Zone signing key for ${DOMAIN}: "
ZSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -n | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $ZSK
echo "Signing zone ${ZONE}"
ldns-signzone -f ${ZONE}.signed ${ZONE}.tosign $KSK $ZSK