Manualshelf

Bind 9 Administrator Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Chapter 4. Advanced Concepts
The list of keys to be inserted into the key set may also included non-zone keys present at the top of the
zone. dnssec-makekeyset may also be used at other names in the zone.
The following command generates a key set containing the above key and another key similarly
generated, with a TTL of 3600 and a signature validity period of 10 days starting from now.
dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345
Kchild.example.+003+23456
One output file is produced: keyset-child.example.. This file should be transmitted to the parent to
be signed. It includes the keys, as well as signatures over the key set generated by the zone keys
themselves, which are used to prove ownership of the private keys and encode the desired validity period.
4.7.3. Signing the Child’s Keyset
The dnssec-signkey program is used to sign one child’s keyset.
If the child.example zone has any delegations which are secure, for example,
grand.child.example, the child.example administrator should receive keyset files for each secure
subzone. These keys must be signed by this zone’s zone keys.
The following command signs the child’s key set with the zone keys:
dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345
Kchild.example.+003+23456
One output file is produced: signedkey-grand.child.example.. This file should be both
transmitted back to the child and retained. It includes all keys (the child’s keys) from the keyset file and
signatures generated by this zone’s zone keys.
4.7.4. Signing the Zone
The dnssec-signzone program is used to sign a zone.
Any signedkey files corresponding to secure subzones should be present, as well as a signedkey file
for this zone generated by the parent (if there is one). The zone signer will generate NXT and SIG records
for the zone, as well as incorporate the zone key signature from the parent and indicate the security status
at all delegation points.
The following command signs the zone, assuming it is in a file called zone.child.example. By
default, all zone keys which have an available private key are used to generate signatures.
dnssec-signzone -o child.example zone.child.example
35