For operation of signing zone we recommend to create separate
directory, «zone-dnssec» for example as subfolder in BIND
work directory. We reccomend to set «root» as owner, same
group as the user under which BIND starts and 750 as the mode for
this directiory. Copy zone files to sign to this directory.
To generate a KSK key for 'example.com' use this command:
$ /usr/local/bin/ldns-keygen -a ECC-GOST -k example.com
At the same time DS-records are generated for this key.
To generate a ZSK key for 'example.com' use this command:
$ /usr/local/bin/ldns-keygen -a ECC-GOST example.com
At the same time DS-records are generated for this key.
To distinguish ZSK from KSK you may look at the public key part ($ cat Kexample.com.+012+YYYYY.key for example). You can differ them by IN DNSKEY code:
256 - ZSK
257 - KSK:
example.com. IN DNSKEY 256 3 12 4/M4Fhcg0B56sRFrnDnprJhfvnA77uNleBtGSH+jVbl04lbVpOJ9A0qT r+zX6lnEZjqrMAxNNcJ7ZKQ+cp3v9g==
You may also check the key algorithm number: 12 is GOST.
Signing a zone
ATTENTION: exclude $TTL and similar directives from the zone
file, and add it to the signed zone file later. ldns-signezone can not
parse them. Also increase serial of the zone before signing
For the signing zone 'example.com' you should execute a command like:
After this your DS-records should be sent to the administrator of
the higher domain (only if it supports DNSSEC and ready to be an entry
point or a part of chain of trust).