On 2/12/19 11:49 PM, Paul R. Ganci wrote:
Okay so I misunderstood the message I was getting when I checked my DNSSEC setup via http://dnsviz.net/. What you are telling me is that all I had to do was re-sign the zone files but that it was not necessary to generate new keys. This point is definitely one that I missed.
I too run my own authoritative nameservers. I was following the Digital Ocean procedure to setup DNSSEC:
Key rotation and signature rotation are separate concerns. Most users should be able to significantly simplify signature rotation using bind's built-in signing management, rather than using dnssec-signzone. You can define your zone like so:
zone "example.net" IN { type master; file "dynamic/db.example.net"; update-policy local; key-directory "keys/example.net"; inline-signing yes; auto-dnssec maintain; };
...and then either replicate your zone to a public-facing host, or export and manually copy the zone (maybe "dig @localhost example.net -t axfr"?)
Manual signing is probably only useful if you want your DNSSEC key files kept on a system that isn't connected to a network, for security reasons, and you have another process for publishing the signed zone files.
(Newer bind releases have a python tool to manage key rotation. I use this one: https://bitbucket.org/gordonmessmer/update-dns-keys/)
So doesn't ldns-signzone create the same kind of digest that requires it be uploaded to the registrar?
Yes, I think so. If I understand you properly.
So maybe I asked the wrong question. Is there a way to re-sign the zone files without having to recreate the information found in that dsset-domain.tld. file and uploading it to the registrar?
If you mean the DS records, those should be stable as long as you have the same KSK, so there's nothing *new* to upload when your zones are re-signed.