make-dnssec: adding memento
This commit is contained in:
parent
d1ad5103ed
commit
7cadcce088
1 changed files with 14 additions and 0 deletions
|
@ -1,3 +1,12 @@
|
||||||
|
# Small memento to get things up with BIND 9
|
||||||
|
# cd /etc/bind/keys
|
||||||
|
# dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE -f KSK -L 172800 example.org
|
||||||
|
# dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE -L 172800 example.org
|
||||||
|
# then, add the two INCLUDE in the zone file :
|
||||||
|
# $INCLUDE ../keys/Kexample.org.+010+31182.key ; 257 = KSK
|
||||||
|
# $INCLUDE ../keys/Kexample.org.+010+61130.key ; 256 = ZSK
|
||||||
|
# finally, launch the make to generate the db.xxxxx.signed file.
|
||||||
|
|
||||||
# For NSEC3 records, we need 8 random bytes, which means a 16 hexa string
|
# For NSEC3 records, we need 8 random bytes, which means a 16 hexa string
|
||||||
SALT := $(shell dd if=/dev/random bs=13 count=1 2>/dev/null | hexdump -v -e '"%02x"' | cut -c 1-16 )
|
SALT := $(shell dd if=/dev/random bs=13 count=1 2>/dev/null | hexdump -v -e '"%02x"' | cut -c 1-16 )
|
||||||
|
|
||||||
|
@ -8,6 +17,11 @@ reload: db.*.signed
|
||||||
service bind9 reload
|
service bind9 reload
|
||||||
# Ou nsdc rebuild && nsdc reload pour NSD
|
# Ou nsdc rebuild && nsdc reload pour NSD
|
||||||
|
|
||||||
|
# Look up for any db.xxx / db.xxx.signed pair and launch
|
||||||
|
# the signing if db.xxx.signed is older than db.xxx
|
||||||
|
# memento :
|
||||||
|
# - $* = "db.xxx.signed"
|
||||||
|
# - $^ = "db.xxx"
|
||||||
db.%.signed: db.%
|
db.%.signed: db.%
|
||||||
@echo Signing requires a lot of entropy in /dev/random, do not hesitate to load the machine...
|
@echo Signing requires a lot of entropy in /dev/random, do not hesitate to load the machine...
|
||||||
# 5356800 seconds = two months of validity
|
# 5356800 seconds = two months of validity
|
||||||
|
|
Loading…
Reference in a new issue