Manualshelf

Bind 9 Administrator Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Chapter 4. Advanced Concepts
There must also be communication with the administrators of the parent and/or child zone to transmit
keys and signatures. A zone’s security status must be indicated by the parent zone for a DNSSEC
capable resolver to trust its data.
For other servers to trust data in this zone, they must either be statically configured with this zone’s zone
key or the zone key of another zone above this one in the DNS tree.
4.7.1. Generating Keys
The dnssec-keygen program is used to generate keys.
A secure zone must contain one or more zone keys. The zone keys will sign all other records in the zone,
as well as the zone keys of any secure delegated zones. Zone keys must have the same name as the zone,
a name type of ZONE, and must be usable for authentication. It is recommended that zone keys use a
cryptographic algorithm designated as "mandatory to implement" by the IETF; currently these are
RSASHA1 (which is not yet supported in BIND 9.2) and DSA.
The following command will generate a 768 bit DSA key for the child.example zone:
dnssec-keygen -a DSA -b 768 -n ZONE child.example.
Two output files will be produced: Kchild.example.+003+12345.key and
Kchild.example.+003+12345.private (where 12345 is an example of a key tag). The key file
names contain the key name (child.example.), algorithm (3 is DSA, 1 is RSA, etc.), and the key tag
(12345 in this case). The private key (in the .private file) is used to generate signatures, and the public
key (in the .key file) is used for signature verification.
To generate another key with the same properties (but with a different key tag), repeat the above
command.
The public keys should be inserted into the zone file with $INCLUDE statements, including the .key
files.
4.7.2. Creating a Keyset
The dnssec-makekeyset program is used to create a key set from one or more keys.
Once the zone keys have been generated, a key set must be built for transmission to the administrator of
the parent zone, so that the parent zone can sign the keys with its own zone key and correctly indicate the
security status of this zone. When building a key set, the list of keys to be included and the TTL of the set
must be specified, and the desired signature validity period of the parent’s signature may also be
specified.
34