На главную страницу  
+7 (499) 124-62-26
О компании Продукты Решения Скачать Купить Цены Контакты
КриптоПакет
OpenVPN-ГОСТ
КриптоТуннель

MAGPRO DNS. SIGNING ZONE FILES WITH «ldns-signzone» UTILITY


Installation

Installation of ldns-signzone is described on the page:
Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support


Preparations

For operation of signing zone we recommend to create separate directory, «zone-dnssec» for example as subfolder in BIND work directory. We reccomend to set «root» as owner, same group as the user under which BIND starts and 750 as the mode for this directiory. Copy zone files to sign to this directory.


Keys generation

  1. To generate a KSK key for 'example.com' use this command:
    $ /usr/local/bin/ldns-keygen -a ECC-GOST -k example.com

    At the same time DS-records are generated for this key.

  2. To generate a ZSK key for 'example.com' use this command:
    $ /usr/local/bin/ldns-keygen -a ECC-GOST example.com

    At the same time DS-records are generated for this key.

    To distinguish ZSK from KSK you may look at the public key part ($ cat Kexample.com.+012+YYYYY.key for example). You can differ them by IN DNSKEY code:
    256 - ZSK
    257 - KSK:

    example.com. IN DNSKEY 256 3 12 4/M4Fhcg0B56sRFrnDnprJhfvnA77uNleBtGSH+jVbl04lbVpOJ9A0qT r+zX6lnEZjqrMAxNNcJ7ZKQ+cp3v9g==

    You may also check the key algorithm number: 12 is GOST.


Signing a zone

ATTENTION: exclude $TTL and similar directives from the zone file, and add it to the signed zone file later. ldns-signezone can not parse them.
Also increase serial of the zone before signing
For the signing zone 'example.com' you should execute a command like:

$ /usr/local/bin/ldns-signzone example.com Kexample.com.+012+23003 Kexample.com.+012+42920

After this your DS-records should be sent to the administrator of the higher domain (only if it supports DNSSEC and ready to be an entry point or a part of chain of trust).


Rebuild database

ATTENTION: you should rebuild the nsd database after changing zone files by invoking commands:

# nsdc rebuild
# nsdc reload

MagPro DNS

Installing and configuring OpenSSL 1.0.0

Installing and using BIND with DNSSEC and GOST support

Signing a zone with «dnssec-signzone»

Checking DNSSEC with the «dig» utility

Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support

Signing a zone with «ldns-signzone»

Checking DNSSEC with the «drill» utility

DNSSEC FAQ

 
Copyright © ООО "Криптоком". 2001-2024. All Rights Reserved.