On 2/12/19 11:49 PM, Paul R. Ganci wrote: > Okay so I misunderstood the message I was getting when I checked my > DNSSEC setup via http://dnsviz.net/. What you are telling me is that > all I had to do was re-sign the zone files but that it was not > necessary to generate new keys. This point is definitely one that I > missed. > > I too run my own authoritative nameservers. I was following the > Digital Ocean procedure to setup DNSSEC: Key rotation and signature rotation are separate concerns. Most users should be able to significantly simplify signature rotation using bind's built-in signing management, rather than using dnssec-signzone. You can define your zone like so: zone "example.net" IN { type master; file "dynamic/db.example.net"; update-policy local; key-directory "keys/example.net"; inline-signing yes; auto-dnssec maintain; }; ...and then either replicate your zone to a public-facing host, or export and manually copy the zone (maybe "dig @localhost example.net -t axfr"?) Manual signing is probably only useful if you want your DNSSEC key files kept on a system that isn't connected to a network, for security reasons, and you have another process for publishing the signed zone files. (Newer bind releases have a python tool to manage key rotation. I use this one: https://bitbucket.org/gordonmessmer/update-dns-keys/) > So doesn't ldns-signzone create the same kind of digest that requires > it be uploaded to the registrar? Yes, I think so. If I understand you properly. > So maybe I asked the wrong question. Is there a way to re-sign the > zone files without having to recreate the information found in that > dsset-domain.tld. file and uploading it to the registrar? If you mean the DS records, those should be stable as long as you have the same KSK, so there's nothing *new* to upload when your zones are re-signed.