bind9 ispconfig dnssec inline signing ubuntu 12.04


here some nice howto:

install ispconfig as shown on howtoforge:
http://www.howtoforg … -dovecot-ispconfig-3

install bind9.9 from ubuntu ppa because bind9.8 does not support inline-signing.
add to your sources list:

deb precise main 
deb-src precise main
aptitude install bind9

create directory for your zone keys and create em:

[code]mkdir /var/cache/bind/keys/
cd /var/cache/bind/keys/
dnssec-keygen -r /dev/urandom -f KSK domain.tld
dnssec-keygen -r /dev/urandom domain.tld
chown bind:bind *

(this should be patched too in ispconfig) hadn’t got the time for it

patch the ispconfig template as following:

--- a/usr/local/ispconfig/server/conf/bind_named.conf.local.master
+++ b/usr/local/ispconfig/server/conf/bind_named.conf.local.master
@@ -4,6 +4,8 @@
 zone "<tmpl_var name='zone'>" {
         type master;
 <tmpl_var name='options'>        file "<tmpl_var name='zonefile_path'>";
+       auto-dnssec maintain;
+       inline-signing yes;

add to your named.conf.options following line:

key-directory "/var/cache/bind/keys/";
service bind9 restart

you must push your DS-RR to your registrar
in my case
how to extract it out of your public key:

cd /var/cache/bind/keys/
dnssec-dsfromkey -1 Kdomain.tld.KSK#

here some nice links: … -9.9.0-Examples.html

have fun!