Bind DNS DNSSEC 實作

產生 ZSK (Zone sign key)

dns#dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE xxx.edu.tw

產生 KSK (Key sign key)
dns#dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 2048 -n ZONE xxx.edu.tw
將 DNSKEY 放入 zone file
#cat K*.key » /etc/namedb/db.xxx.edu.tw
簽署網域
dns#dnssec-signzone -o xxx.edu.tw  -k Kxxx.edu.tw.+005+?????.key /etc/namedb/db.xxx.edu.tw Kxxx.edu.tw.+005+?????.key
完成後會出現

-----------------------

Verifying the zone using the following algorithms: RSASHA1.

Zone signing complete:

Algorithm: RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by

/etc/namedb/db.xxx.edu.tw.signed

-----------------------

啟用該檔案

dns#vi name.conf

zone “xxx.edu.tw” { 

 type master; file “/etc/namedb/ db.xxx.edu.tw.signed ”;

 };

dns# named.reload