We provide managed hosting and co-locating services out of Amsterdam.

ServicesProjectsMirrorsGistsGitContact us

DNSSEC w/ NSD

Check DNSKEY with

dig DNSKEY +multiline +norec @ns <domain>

Signing

Zone Signing Key (ZSK)

$ ldns-keygen -a RSASHA256 -b 1024 <domain>

Key Signing Key (KSK)

$ ldns-keygen -k -a RSASHA256 -b 1024 <domain>

Sign the zone

$ ldns-signzone <zone> <KSK> <ZSK>

Scripts

Sign the zone

#!/bin/sh
        
DOMAIN=$1
ZONES=/var/nsd/zones/master
ZONE=${ZONES}/${DOMAIN}

if [[ ! -f "${ZONE}" ]]; then
        echo "Unable to locate zone ${ZONE}"
        exit 1
fi

echo -n "Key signing key for ${DOMAIN}: "
KSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -nr | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')      
echo $KSK

echo -n "Zone signing key for ${DOMAIN}: "
ZSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -n | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $ZSK

echo "Signing zone ${ZONE}"
ldns-signzone -f ${ZONE}.signed ${ZONE} $KSK $ZSK

Auto-sign the zone (cron)

#!/bin/sh

DOMAIN=$1
ZONES=/var/nsd/zones/master
ZONE=${ZONES}/${DOMAIN}

if [[ ! -f "${ZONE}" ]]; then
        echo "Unable to locate zone ${ZONE}"
        exit 1
fi

echo "Convert zone ${DOMAIN} to ${DOMAIN}.tosign"
ldns-read-zone -S YYYYMMDDxx ${ZONE} > ${ZONE}.tosign

echo -n "Key signing key for ${DOMAIN}: "
KSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -nr | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $KSK

echo -n "Zone signing key for ${DOMAIN}: "
ZSK=$(find ${ZONES} -name "K${DOMAIN}.+008+*.key" | sort -n | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
echo $ZSK

echo "Signing zone ${ZONE}"
ldns-signzone -f ${ZONE}.signed ${ZONE}.tosign $KSK $ZSK