Tag Archives: ppa

bind9 ispconfig dnssec inline signing ubuntu 12.04

hi

here some nice howto:

install ispconfig as shown on howtoforge:
http://www.howtoforg … -dovecot-ispconfig-3

install bind9.9 from ubuntu ppa because bind9.8 does not support inline-signing.
add to your sources list:

deb http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main 
deb-src http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main
aptitude install bind9

create directory for your zone keys and create em:

[code]mkdir /var/cache/bind/keys/
cd /var/cache/bind/keys/
dnssec-keygen -r /dev/urandom -f KSK domain.tld
dnssec-keygen -r /dev/urandom domain.tld
chown bind:bind *

(this should be patched too in ispconfig) hadn’t got the time for it

patch the ispconfig template as following:
/usr/local/ispconfig/server/conf/bind_named.conf.local.master

--- a/usr/local/ispconfig/server/conf/bind_named.conf.local.master
+++ b/usr/local/ispconfig/server/conf/bind_named.conf.local.master
@@ -4,6 +4,8 @@
 zone "<tmpl_var name='zone'>" {
         type master;
 <tmpl_var name='options'>        file "<tmpl_var name='zonefile_path'>";
+       auto-dnssec maintain;
+       inline-signing yes;
 };
 </tmpl_if>
 </tmpl_loop>

add to your named.conf.options following line:

key-directory "/var/cache/bind/keys/";
service bind9 restart

you must push your DS-RR to your registrar
in my case nic.at
how to extract it out of your public key:

cd /var/cache/bind/keys/
dnssec-dsfromkey -1 Kdomain.tld.KSK#

here some nice links:
https://kb.isc.org/a … -9.9.0-Examples.html
http://fanf.livejournal.com/112476.html
http://wiki.debian.org/DNSSEC
http://dnscheck.iis.se/

have fun!