Some time ago I blogged that my zones are signed and now it’s possible to add the DS key to the .nl zone.

This still is a manual process, but I opted in with my pa1ton.nl domain. The .com TLD isn’t signed yet, so the tonkersten.com is still to be done.

I also updated some scripts and things to make it work better ;-)

First I need the ZSK and KSK and I generate them like this:

dnssec-keygen -e -a NSEC3RSASHA1 -3 -b 2048 -n ZONE pa1ton.nl
dnssec-keygen    -a NSEC3RSASHA1 -3 -b 2048 -n ZONE -f KSK tonkersten.com

This enables the NSEC3 options for the zone.

And signing the zones is done like:

dnssec-signzone			\
	-v 3				\
	-3 34A3				\
	-A					\
	-d keys				\
	-K keys				\
	-N unixtime			\
	-f pa1ton.nl.signed	\
	-o pa1ton.nl		\
	-S pa1ton.nl

It will take a couple of days for the DS keys to appear in the .nl TLD.

I will keep you posted.


See also