From 7cadcce0882c4236c277d44d1d635207e7a95a4f Mon Sep 17 00:00:00 2001
From: Chl <chl-dev@bugness.org>
Date: Sat, 3 Aug 2019 15:50:20 +0200
Subject: [PATCH] make-dnssec: adding memento

---
 Makefile-dnssec-nsec3 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Makefile-dnssec-nsec3 b/Makefile-dnssec-nsec3
index 2f484c9..0c1f30e 100644
--- a/Makefile-dnssec-nsec3
+++ b/Makefile-dnssec-nsec3
@@ -1,3 +1,12 @@
+# Small memento to get things up with BIND 9
+#  cd /etc/bind/keys
+#  dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE -f KSK -L 172800 example.org
+#  dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE        -L 172800 example.org
+# then, add the two INCLUDE in the zone file :
+#  $INCLUDE ../keys/Kexample.org.+010+31182.key ; 257 = KSK
+#  $INCLUDE ../keys/Kexample.org.+010+61130.key ; 256 = ZSK
+# finally, launch the make to generate the db.xxxxx.signed file.
+
 # For NSEC3 records, we need 8 random bytes, which means a 16 hexa string
 SALT := $(shell dd if=/dev/random bs=13 count=1 2>/dev/null | hexdump -v -e '"%02x"' | cut -c 1-16 )
 
@@ -8,6 +17,11 @@ reload: db.*.signed
 	service bind9 reload
 	# Ou nsdc rebuild && nsdc reload pour NSD
 
+# Look up for any db.xxx / db.xxx.signed pair and launch
+# the signing if db.xxx.signed is older than db.xxx
+# memento :
+# - $* = "db.xxx.signed"
+# - $^ = "db.xxx"
 db.%.signed: db.%
 	@echo Signing requires a lot of entropy in /dev/random, do not hesitate to load the machine...
 	# 5356800 seconds = two months of validity