Some time ago I blogged that my zones are signed and now it’s possible to add
the DS key to the .nl zone.
This still is a manual process, but I opted in with my pa1ton.nl domain. The
.com TLD isn’t signed yet, so the tonkersten.com is still to be done.
I also updated some scripts and things to make it work better ;-)
First I need the ZSK and KSK and I generate them like this:
dnssec-keygen -e -a NSEC3RSASHA1 -3 -b 2048 -n ZONE pa1ton.nl
dnssec-keygen -a NSEC3RSASHA1 -3 -b 2048 -n ZONE -f KSK tonkersten.com
This enables the NSEC3 options for the zone.
And signing the zones is done like:
dnssec-signzone \
-v 3 \
-3 34A3 \
-A \
-d keys \
-K keys \
-N unixtime \
-f pa1ton.nl.signed \
-o pa1ton.nl \
-S pa1ton.nl
It will take a couple of days for the DS keys to appear in the .nl TLD.
I will keep you posted.