|root e9197fae6c Removed config again; got to messy. Possibly write these as a collectiong later||1 year ago|
|.gitignore||1 year ago|
|LICENSE||1 year ago|
|README.md||1 year ago|
|dnssec-signer||1 year ago|
DNSSEC sign DNS zone(s) in one command. DNSSEC-ninja!
This script follows a special kind of structure, to more easily understand where to look up and read DNS zones, e.g:
The zone file, without any DNSSEC entries, must be called
db and be placed in the root of the folder
Personally this is an easier folder-structure to look-up and read when I'm working on a server, and the reason why I decided to have it like this.
Clone this repository
git clone email@example.com:joachimmg/dnssec-signer.git && cd "dnssec-signer"
chmod +x dnssec-signer
dnssec-signer and alter the configuration section:
named-file with the zones you're authoritative for. This file is used to only sign active zones when arguments aren't given when executing the script. Typically used when running the script as a deamon.
zones-folder (see: Requirements) where you store your zones.
/usr/sbin/named-checkzone): Where the application
named-checkzoneis located on in your OS.
/usr/sbin/named-checkconf): Where the application
named-checkconfis located on in your OS.
/usr/sbin/dnssec-keygen): Where the application
dnssec-keygenis located on in your OS.
/usr/sbin/dnssec-signzone): Where the application
dnssec-signzoneis located on in your OS.
/bin/systemctl): Where the application
systemctlis located on in your OS.
bind.service): Which DNS service you're using and that
systemctlwill have to restart.
/usr/bin/logger): Which logger application you will use and where it reside in your OS.
-t "<username>" -p daemon.info): Flags you want to pass to the
loggerwhen logging successful messages.
-t "<username>" -p daemon.err): Flags you want to pass to the
loggerwhen logging error messages.
If you like, you can link the file to a
bin-directory, to globally access the script from any working directory.
ln -s /not/a/relative/path/to/dnssec-signer /usr/bin/
A signed zone will be stored in a file called
db.signed and is the one you have to refer to (or change) in the
named-file. This is something you only need to do once, after you signed the zone.
Please dont delete the
db.signed) and sign the zone again afterwards, which will generate a new
db.signed-file for you. It's more or less impossible to do changes in the signed file.
db-file and generate a new
Please don't delete the KEYS! They are stored in the
<domain.tld>/-directory, and they should be kept there for resigning.
The first time a zone is signed there is generated a file called
dsset-<domain.tld>. To gain
the chain of trust you must add these keys, in the
dsset-file, with your registrar.
./dnssec-signer <zone> <zone> ... <zone>
Note: This won't require the zone(s) to be in the
Note: This will check that that zones is in your
named-file before processing it, as
this is typically used in a cron-job to update the hash for the zone.
Edit crontab for the root
sudo crontab -e
and add the following
0 0 */3 * * /path/to/dnssec-signer
This updates active zones every
3'rd day. Append
> /var/log/dnssec-signer to store the last output log. Then you can open this and read the last result. There's also a timestamp produced at the start if you're wondering what time it updated the zone.
This is only tested under Bind9 on Ubuntu 16.04.03