hi
here some nice howto:
install ispconfig as shown on howtoforge:
http://www.howtoforg … -dovecot-ispconfig-3
install bind9.9 from ubuntu ppa because bind9.8 does not support inline-signing.
add to your sources list:
deb http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main deb-src http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main aptitude install bind9
create directory for your zone keys and create em:
[code]mkdir /var/cache/bind/keys/ cd /var/cache/bind/keys/ dnssec-keygen -r /dev/urandom -f KSK domain.tld dnssec-keygen -r /dev/urandom domain.tld chown bind:bind *
(this should be patched too in ispconfig) hadn’t got the time for it
patch the ispconfig template as following:
/usr/local/ispconfig/server/conf/bind_named.conf.local.master
--- a/usr/local/ispconfig/server/conf/bind_named.conf.local.master +++ b/usr/local/ispconfig/server/conf/bind_named.conf.local.master @@ -4,6 +4,8 @@ zone "<tmpl_var name='zone'>" { type master; <tmpl_var name='options'> file "<tmpl_var name='zonefile_path'>"; + auto-dnssec maintain; + inline-signing yes; }; </tmpl_if> </tmpl_loop>
add to your named.conf.options following line:
key-directory "/var/cache/bind/keys/";
service bind9 restart
you must push your DS-RR to your registrar
in my case nic.at
how to extract it out of your public key:
cd /var/cache/bind/keys/ dnssec-dsfromkey -1 Kdomain.tld.KSK#
here some nice links:
https://kb.isc.org/a … -9.9.0-Examples.html
http://fanf.livejournal.com/112476.html
http://wiki.debian.org/DNSSEC
http://dnscheck.iis.se/
have fun!