My environment is running BIND in a chroot jail, using the bind-chroot package installed with YUM. This article at DigitalOcean got me started; this documents steps specific to a Scientific Linux (or Centos, RHEL, etc) install.
#change into the zone file directory cd /var/named/chroot/var/named/ #generate a zone signing key dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com #generate a key signing key dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com #append an include to the zone file for both public key files for key in Kexample*.key; do echo "\$INCLUDE $key" >> db.example.com; done #sign the zone (this needs to be done after each update, and every couple of weeks as well) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -f db.example.com.signed db.example.com #make sure bind is looking at the signed zone files sed -i 's/db.example.com;/db.example.com.signed;/' /var/named/chroot/etc/named.conf #reload bind rndc reload #these are the DS records that the domain registrar needs cat dsset-example.com. |
#change into the zone file directory cd /var/named/chroot/var/named/ #generate a zone signing key dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com #generate a key signing key dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com #append an include to the zone file for both public key files for key in Kexample*.key; do echo "\$INCLUDE $key" >> db.example.com; done #sign the zone (this needs to be done after each update, and every couple of weeks as well) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -f db.example.com.signed db.example.com #make sure bind is looking at the signed zone files sed -i 's/db.example.com;/db.example.com.signed;/' /var/named/chroot/etc/named.conf #reload bind rndc reload #these are the DS records that the domain registrar needs cat dsset-example.com.