Some time ago I blogged that my zones are signed and now it’s possible to add
the DS key to the
This still is a manual process, but I opted in with my
pa1ton.nl domain. The
.com TLD isn’t signed yet, so the
tonkersten.com is still to be done.
I also updated some scripts and things to make it work better ;-)
First I need the ZSK and KSK and I generate them like this:
dnssec-keygen -e -a NSEC3RSASHA1 -3 -b 2048 -n ZONE pa1ton.nl dnssec-keygen -a NSEC3RSASHA1 -3 -b 2048 -n ZONE -f KSK tonkersten.com
This enables the
NSEC3 options for the zone.
And signing the zones is done like:
dnssec-signzone \ -v 3 \ -3 34A3 \ -A \ -d keys \ -K keys \ -N unixtime \ -f pa1ton.nl.signed \ -o pa1ton.nl \ -S pa1ton.nl
It will take a couple of days for the DS keys to appear in the
I will keep you posted.