Some time ago I blogged that my zones are signed and now it’s possible
to add the DS key to the .nl
zone.
This still is a manual process, but I opted in with my pa1ton.nl
domain. The .com
TLD isn’t signed yet, so the tonkersten.com
is
still to be done.
I also updated some scripts and things to make it work better ;-)
First I need the ZSK and KSK and I generate them like this: ~ \{.bash} dnssec-keygen -e -a NSEC3RSASHA1 -3 -b 2048 -n ZONE pa1ton.nl dnssec-keygen -a NSEC3RSASHA1 -3 -b 2048 -n ZONE -f KSK tonkersten.com ~
This enables the NSEC3
options for the zone.
And signing the zones is done like: ~ \{.bash} dnssec-signzone
-v 3
-3 34A3
-A
-d keys
-K keys
-N unixtime
-f pa1ton.nl.signed
-o pa1ton.nl
-S pa1ton.nl ~
It will take a couple of days for the DS keys to appear in the .nl
TLD.
I will keep you posted.