DynDNS.com - Support -- Knowledge Base -- Implementing DNSSEC
Implementing DNSSEC
Related Articles:
This tutorial demonstrates public/private key creation and zone signing in BIND 9.
Overview
In brief, DNSSEC allows a resolver to authenticate the data it receives. Without DNSSEC, there is no way for the resolver to verify that the answer it gets back is truly from the official source, allowing for cache poisoning and security vulnerabilities like the Kaminsky bug. With DNSSEC, which utilizes public-key cryptopgraphy, these types of flaws will no longer pose a threat.
For a more detailed overview of DNSSEC, please see our Understanding DNSSEC entry on our Dynamic Discourse blog.
While it will take time for DNSSEC to be fully deployed across all domains, some TLDs such as .se and .br have already signed their root nameservers, and .org will begin signing in early- to mid-2009. In an effort to help our customers better understand how DNSSEC is implemented, this tutorial will walk through the process for signing a zone and any child zones.
At this time, DNSSEC is not currently available for Custom DNS. If you would like to see these dig results for yourself, you may perform dig queries using @recursive.dyn-dnssec.com +dnssec or by adding the following line to named.conf.options in your own resolver:
trusted-keys {
"dyn-dnssec.com." 257 3 3 "BLR4mtJFmVw4HXiqMYRm8oYw3wPd06AC7sYDkNOboDuc9QavcclPOLK8
aVOAyWRa+pp/zudHc94pblpcCZD7uMS7cozZTjd/ZoC2Lz8STfLVjKGi
DrrjbVunyam2UCNCNAlTGEDJk9G1NhXWdOnb4c5afffDJCS7rB/cb0Dl
5egwEn8niRaj9+8yqwOTIdN3SKsdg7A2A1RWH1TgTfZOYjfynpupvDrh
DWbVjLX/aLnXrsA2yk88IL2m05RxB3/Fzm9GU1YlZFHS6uVtOjqMaPaj
hkLMba/9q63agMFZu54T1V4NWWQ4SQ2ovpcv5EGl3G9KBjRs+GWWiZ2W
vgoQB5G9smX67/E/ezTEogi7fV4OY2ttnG41zvenNlzJe17PndxogD+T
pAf/ITgeMnpEyFqQywEP";
};
Please note: If you use the same server for both authoritative and recursive DNS, you will need to use a second resolver to test your DNSSEC. If you query the authoritative server directly, you will receive the aa (Authoritative Answer) flag instead of ad (Authenticated Data) flag.
Signing a Zone
1. Create keys with dnssec-keygen
The first step is to create the zone-signing key (ZSK) and key-signing key (KSK) for your zone. Briefly, the ZSK is a private/public key pair used to sign the records within the zone, while the KSK is used to sign other keys and act as the trust anchor from which child zones may be signed and authenticated. (You can use a single key pair for both roles, but it is much more secure to use separate pairs.)
Public/private key pair generation is accomplished with the dnssec-keygen utility, which comes packaged with the latest versions of BIND 9. Its general usage is:
dnssec-keygen -a alg -b keysize -n type [-f flag] hostname
- alg is the encryption algorithm used in the key's generation, such as RSA, RSAMD5, DH, DSA, RSASHA1, and HMAC-MD5.
- keysize is the number of bits to be used in the key, usually between 512 and 2048.
- type and flag work together to determine the value of the flags field in the DNSKEY (more on this later).
- hostname is the domain name, such as example.com.
For this tutorial, we'll use our real-world DNSSEC test domain, dyn-dnssec.com, to demonstrate. First, we'll generate the ZSK:
dnssec-keygen -a DSA -b 768 -n ZONE dyn-dnssec.com Kdyn-dnssec.com.+003+38267
Note: If you receive a "command not found" error, you may need to log in as root or use sudo to run the command. Also, if key generation seems to be taking a while or appears to "hang", your system may be running low on entropy (randomized data used for cryptography); simply type a stream of random letters into the prompt to provide more entropy for the system to work with.
The output is the name of the public/private key pair, Kdyn-dnssec.com.+003+38267.private and Kdyn-dnssec.com.+003+38267.key (public). This ZSK will be used to sign other records in the dyn-dnssec.com zone file in the form of RRSIG (Resource Record Signature) records.
Next, we'll generate the KSK:
dnssec-keygen -a DSA -b 768 -n ZONE -f KSK dyn-dnssec.com Kdyn-dnssec.com.+003+23459
Again, we have two files, one containing the private side of the key pair and the other containing the public key. Be sure to write down which filename is which, as it will be important to use the correct keys during zone signing. If you forget which key is which, you can easily tell by looking at the contents of the key files:
cat Kdyn-dnssec.com.+003+23459.key dyn-dnssec.com. IN DNSKEY 257 3 3 BLR4mtJFmVw4HXi...
The value 257 is the flags field, which in this case is primarily used to differentiate between keys. A value of 256 is the ZSK, and a value of 257 is the KSK.
2. Include DNSKEYs in zone file
Now that we have generated the ZSK and KSK public/private key pairs, we need to add the public keys to the zone file. While the contents of the .key files can simply be copied and pasted into the zone file, it is easier and more efficient to use the $include directive like so:
$include /etc/bind/Kdyn-dnssec.com.+003+38267.key ; ZSK $include /etc/bind/Kdyn-dnssec.com.+003+23459.key ; KSK
Remember to include the .key extension on the filenames, and leave a linefeed at the end of your zone.
3. Sign the zone with dnssec-signzone
Creating a DNSSEC-signed zone file is fairly straightforward, thanks to the wonderfully helpful dnssec-signzone tool. Its usage is:
dnssec-signzone [-p] [-t] -k KSK [-o domainname] zonefile ZSK
- -p uses pseudorandom data, which is faster but less secure; since this is just a test, we will use -p for faster signing.
- -t provides a statistical summary at the end of the signing.
- -k provides the KSK filename.
- -o allows you to specify the domain name if the zone file is different.
- zonefile is the filename for your zone file.
- ZSK is the filename of your ZSK.
It's finally time to sign our dyn-dnssec.com zone:
dnssec-signzone -p -t -k Kdyn-dnssec.com.+003+23459 -o dyn-dnssec.com db.dyn-dnssec.com Kdyn-dnssec.com.+003+38267 db.dyn-dnssec.com.signed Signatures generated: 18 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Runtime in seconds: 0.012 Signatures per second: 1388.460
The zone has now been successfully signed, and a copy placed in db.dyn-dnssec.com.signed. You can see a copy of the signed zone file here.
4. Reconfigure named.conf
Now that you have signed the zone, update named.conf to use the new zone file (generally ending in .signed):
zone "dyn-dnssec.com" {
type master;
file "/etc/bind/db.dyn-dnssec.com.signed";
};
Under the options directive (usually in named.conf.options), add the line dnssec-enable yes;:
options {
...
dnssec-enable yes;
...
};
5. Restart BIND
An easy step to overlook, but crucial in receiving expected results. Assuming all went well, your zone is now authenticated with DNSSEC.
6. Add the KSK to your recursive resolver's trusted keys
To test your domain's DNSSEC implementation, you need to manually add the KSK to the trusted-key section of your recursive resolver's named.conf.options. (If you use the same server to provide both authoritative and recursive DNS, note that you cannot use it to test its own DNSSEC validity; you will need to use a different server to perform testing.)
For our dyn-dnssec.com domain, we added the following line:
trusted-keys {
"dnssec.comcast.net." 257 3 5 "AwEAAb0fuiKVx3g8u5B00g76jwpdVRkMXhZ+C9ht5j//wadY+ZRbhnXm
PlXP4FpHzQsq+RSpGkEXlh9qz1FgXiDGskn+Ar5xJ0cuTrAV+KpoCzGk
kCOuPYRK2kxiHYj/yCC6O6FKzv8RUt3lNDee79V69LVAobtK8T0x97pR
snUqYe8St+TrayqSbCtZNayKr8UwKt8DPR3qprHLQt19SCmkBd2wlRiZ
8Mea1gudtH9Xgr1QgpnlJmvuRGCPKZNMNPbvvzK+MPlx3aPfsb+Uby3E
8xuL1pw4VUdZy+KtbYItWT9+PJ1Ao31Q0WlgudYLelO0RyOZcj6DdabL
fWk0flcsim4BOAJQtmD3uQ+q5n7rIIqe24hNd0nR884eq/Q10nzUV1m1
q/605h1C3BcmlccBpi8k0VaTLrry2oMAwvLKq1+7KW01HHEnNYiDyYwC
O3XfNTP6P4ycqgIztdH7eU+Dxs//ZUOK0+9FLTut/34RUpUgW13e3sy2
ISsHTUrdi2riBqmDyqSJu5YHCCcB6sVEyZTD+CwMWhKKnGQjkNvDdm5S
d6kLMi7fsE0f3XukrEw6HZw5EoWJe5EIJnZDkWhXhgyCehjuFjmdsa4o
iT/LZR8CgBh3hMyv10x/RW/V/t3B196doSkAeth3bm+t5m+nn+/Aa3GY
vaxPj7pDRnsyrHXl";
};
7. Restart resolver
Restart your recursive resolver to ensure the changes take effect.
8. Test your DNSSEC
It's time to test your domain's DNSSEC to ensure the data authenticates properly. Use dig to perform the following query:
dig dyn-dnssec.com +dnssec @localhost ; <<>> DiG 9.5.0-P2 <<>> dyn-dnssec.com +dnssec @localhost ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64609 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dyn-dnssec.com. IN A ;; ANSWER SECTION: dyn-dnssec.com. 1485 IN A 216.146.46.9 dyn-dnssec.com. 1485 IN RRSIG A 3 2 3600 20090203015811 20090104015811 38267 dyn-dnssec.com. BMZkhET13VyZJpMgnmjDarNNmemybXP6t3t01k9xq43fr3OQDk3T9Bc= ;; AUTHORITY SECTION: dyn-dnssec.com. 170685 IN NS ns1.dyn-dnssec.com. dyn-dnssec.com. 170685 IN NS ns2.dyn-dnssec.com. dyn-dnssec.com. 84285 IN RRSIG NS 3 2 86400 20090203015811 20090104015811 38267 dyn-dnssec.com. BL7Qz+C+rU2MmPCd450ZQ1P01xF+V3B+c+5b9+obs1AMwziPJqIRbkU= ;; ADDITIONAL SECTION: ns1.dyn-dnssec.com. 170685 IN A 216.146.46.9 ns2.dyn-dnssec.com. 170685 IN A 216.146.46.9 ns1.dyn-dnssec.com. 84285 IN RRSIG A 3 3 86400 20090203015811 20090104015811 38267 dyn-dnssec.com. BKuCSJBryfdh+D5xHo7/oVUTcfoovaev10uOzvJ8UDAKLGLWmruhkRI= ns2.dyn-dnssec.com. 84285 IN RRSIG A 3 3 86400 20090203015811 20090104015811 38267 dyn-dnssec.com. BKgj+WK6AbWRXpEdf18WJNMTb49sG358RQgLULgAeK9M+mGY63Ba05I= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jan 4 03:44:42 2009 ;; MSG SIZE rcvd: 475
As mentioned earlier, the new RRSIG records are used for digitally signing the records for both authentication and integrity-checking purposes. (Note that these records will appear if you use the +dnssec option, regardless of whether or not the response validates correctly.)
From all this new information, what you're really looking for are the following two letters:
flags: qr rd ra ad;
The "ad" flag, or Authenticated Data, indicates that the signatures validated correctly. You are now assured that the response you have received is honestly and truly from the official source. Congratulations! Your zone is now using DNSSEC! When DNSSEC is fully deployed for your domain's TLD, you will already be familiar with the implementation process and how it works.
Signing Child Zones
Now that you have signed the root of your domain, you may wish to sign its child zones. This step is only necessary if you have separate zones for subdomains; a third-level CNAME for www.your-domain.com is already signed with RRSIG records because it exists in the newly-signed your-domain.com zone itself.
Signing child zones is a simple process, and helps further demonstrate the purpose of the KSK.
1. Sign the root zone
If you have followed the instructions above and checked the validity of your domain's DNSSEC, this step has been completed. You will need both the .key and .private files for the ZSK and KSK you used to sign the root zone in order to sign the child zone.
2. Create ZSK and KSK for the child zone
Just like signing the parent, you will need to generate a ZSK and KSK for the child zone, using the exact same commands:
dnssec-keygen -a DSA -b 768 -n ZONE child.dyn-dnssec.com Kchild.dyn-dnssec.com.+003+59330 dnssec-keygen -a DSA -b 768 -n ZONE -f KSK child.dyn-dnssec.com Kchild.dyn-dnssec.com.+003+26077
3. Add the ZSK and KSK to the child zone file
Again, following the same process for the parent, add the public keys for the child zone to its zone file:
$include Kchild.dyn-dnssec.com.+003+59330.key ; ZSK $include Kchild.dyn-dnssec.com.+003+26077.key ; KSK
4. Sign the child zone file and generate DS RR
It's time to sign the zone again; instead of using the child's keys with dnssec-signzone, however, we will be using the parent keys again. We will also be using the -g switch, which generate DS RR (Delegated Signer Resource Records) that will link the child to the chain of trust originating at the parent.
dnssec-signzone -p -t -g -k Kdyn-dnssec.com.+003+23459.key -o child.dyn-dnssec.com db.child Kdyn-dnssec.com.+003+38267.key db.child.signed Signatures generated: 9 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Runtime in seconds: 0.008 Signatures per second: 1093.028
5. Add DS RR to parent zone and re-sign
The -g flag generates a DS RR file, usually named dsset-domainname, which needs to be included in the parent zone file just like the ZSK and KSK files:
$include dsset-child.dyn-dnssec.com. ; DS RR for goodzone.dyn-dnssec.com
Don't forget to increment the zone serial! The parent zone also needs to be signed again, as we have added a new record:
dnssec-signzone -p -t -k Kdyn-dnssec.com.+003+23459.key -o dyn-dnssec.com db.dyn-dnssec.com Kdyn-dnssec.com.+003+38267.key db.dyn-dnssec.com.signed Signatures generated: 23 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Runtime in seconds: 0.016 Signatures per second: 1403.637
6. Restart BIND
Once more, restart BIND to ensure the changes take effect.
7. Test your DNSSEC
It's time to check our handiwork. Since we have already added the parent domain's public key to our trusted-key file, we don't need to make any changes for the child. Here is the result of the dig query:
dig child.dyn-dnssec.com +dnssec @localhost ; <<>> DiG 9.5.0-P2 <<>> child.dyn-dnssec.com +dnssec @localhost ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35524 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;child.dyn-dnssec.com. IN A ;; ANSWER SECTION: child.dyn-dnssec.com. 3298 IN A 216.146.46.9 child.dyn-dnssec.com. 3298 IN RRSIG A 3 3 3600 20090206021220 20090107021220 38267 dyn-dnssec.com. BJ40/SRxUPEW/JMo2vTj8FO0QuoUcbQwfCJWbt6HB2hI+/q+kvWrEWQ= ;; AUTHORITY SECTION: child.dyn-dnssec.com. 86098 IN NS ns2.dyn-dnssec.com. child.dyn-dnssec.com. 86098 IN NS ns1.dyn-dnssec.com. child.dyn-dnssec.com. 86098 IN RRSIG NS 3 3 86400 20090206021220 20090107021220 38267 dyn-dnssec.com. BJQ/4loLFACzu9EHSxjgK4kimUKsQN7+2C76jLa98ZbOTFedSFQdbg8= ;; ADDITIONAL SECTION: ns1.dyn-dnssec.com. 172421 IN A 216.146.46.9 ns2.dyn-dnssec.com. 172421 IN A 216.146.46.9 ns1.dyn-dnssec.com. 86098 IN RRSIG A 3 3 86400 20090206022046 20090107022046 38267 dyn-dnssec.com. BCnRQX7nSwRWlVJmDs4L7/iV8NJGwDpQJiWyaoUPDBh++FbhaBWFfMo= ns2.dyn-dnssec.com. 86098 IN RRSIG A 3 3 86400 20090206022046 20090107022046 38267 dyn-dnssec.com. BAu4EKrtErfzVOuhVdvCLPeTcKAhs+4Oii9Zmf5/Dokqmv8x4gWo1p8= ;; Query time: 0 msec ;; SERVER: 2607:f590:0:ffff::71#53(2607:f590:0:ffff::71) ;; WHEN: Wed Jan 7 03:29:07 2009 ;; MSG SIZE rcvd: 481
Once again, we see the "ad" flag present in the result, indicating that this zone has been properly authenticated.
Zone Files
Pre-signing dyn-dnssec.com zone file
$TTL 24h ; default TTL $ORIGIN dyn-dnssec.com. ; domain ; SOA @ 86400 IN SOA ns1.dyn-dnssec.com. hostmaster.dyn-dnssec.com. ( 2009010303 ; serial 3h ; refresh 15m ; update retry 3w ; expiry 2h ; minimum ) IN NS ns1.dyn-dnssec.com. IN NS ns2.dyn-dnssec.com. 3600 IN A 216.146.46.9 3600 IN AAAA 2607:f590:0:ffff::14 43200 IN MX 10 mx1.mailhop.org. 43200 IN MX 20 mx2.mailhop.org. IN TXT "v=spf1 include:outbound.mailhop.org -all" IN TXT "This is a test domain demonstrating DNSSEC." www IN CNAME dyn-dnssec.com. ns1 IN A 216.146.46.9 ns2 IN A 216.146.46.9 recursive IN A 216.146.47.55 recursive IN AAAA 2607:f590:0:ffff::71 $include dsset-child.dyn-dnssec.com. ; DS RR $include Kdyn-dnssec.com.+003+38267.key ; ZSK $include Kdyn-dnssec.com.+003+23459.key ; KSK $ORIGIN child.dyn-dnssec.com. @ IN NS ns1.dyn-dnssec.com. IN NS ns2.dyn-dnssec.com.
Post-signing dyn-dnssec.com zone file
; File written on Wed Jan 7 03:20:46 2009 ; dnssec_signzone version 9.3.4-P1.1 dyn-dnssec.com. 86400 IN SOA ns1.dyn-dnssec.com. hostmaster.dyn-dnssec.com. ( 2009010303 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 1814400 ; expire (3 weeks) 7200 ; minimum (2 hours) ) 86400 RRSIG SOA 3 2 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BL3d474V1tVE/63klDVV6MDHTxbrxLHGPFv/ PJR2sbnPAh8m/XhnApw= ) 86400 NS ns1.dyn-dnssec.com. 86400 NS ns2.dyn-dnssec.com. 86400 RRSIG NS 3 2 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BGQFiLzJe8lFaQIX+I0hUA02byPKAb3X+BDU 07SfMsgrr3Me/q4GBok= ) 3600 A 216.146.46.9 3600 RRSIG A 3 2 3600 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BIXWOJuG/Xc4h+ELEb7XSUyGFQUEjR6TeoNM GNUmn+B2HXQShCYgwQw= ) 43200 MX 10 mx1.mailhop.org. 43200 MX 20 mx2.mailhop.org. 43200 RRSIG MX 3 2 43200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BErK8L2tJK99YXQBXmQZP8c7g7TnK3yjLKRn NoBiBlOuJ6pfVnf01ck= ) 86400 TXT "v=spf1 include:outbound.mailhop.org -all" 86400 TXT "This is a test domain demonstrating DNSSEC." 86400 RRSIG TXT 3 2 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BDcjJMsC+Mfq/o+a6QjKSJS3dWMwPAevvNHY S0/U5jDloz99OWlBDXU= ) 3600 AAAA 2607:f590:0:ffff::14 3600 RRSIG AAAA 3 2 3600 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BLfQZ4tagZoP2rgtofO6SguXhrH4hrV0FzZ4 lCCTKnbC9LxtYUKPFpw= ) 7200 NSEC badzone.dyn-dnssec.com. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY 7200 RRSIG NSEC 3 2 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BFyiFsPISVQ5n1x/743lQ3b2FnR8CmryUKV9 D8rLZw9cONxlF8eo1Xg= ) 86400 DNSKEY 256 3 3 ( BMjH+b9ca8d447qO6bgJrUXSk8HZ65uxIqDG qwHjzphn8uZMm1XtxtSYkEGaj+3S5nY+ONCR F890hYx/RL5JfQPt45NT9Xc1SOYTKvYzCzcr dEJ2vJ/zI5F0SYpnqbXCW1+XGvGNej74WNa8 PDce5vuyS7k1qujJCCqd5DPb4H9bRcq8xdVV gwrZliD1ncMZT7rukGFYau3HVeU4QjGXqE+7 KBJ3dupNa60gRw5ysR2rmd9nSsijATJ+2CZk g+VdYH6oeiPxGoKM6plT0uVZwwGfni22pLFn GMYMZNGI2TmDt5970j17j/93tIBSsUOaVAOW lIXT3nbgRDIofHE0UEwiCYShhchYC/OWn+hs AvXfr2DpGTbVYPR3IW79rt4ZGbuUJpCt/Yg0 Jmf+NG37M3TZc+Z9 ) ; key id = 38267 86400 DNSKEY 257 3 3 ( BLR4mtJFmVw4HXiqMYRm8oYw3wPd06AC7sYD kNOboDuc9QavcclPOLK8aVOAyWRa+pp/zudH c94pblpcCZD7uMS7cozZTjd/ZoC2Lz8STfLV jKGiDrrjbVunyam2UCNCNAlTGEDJk9G1NhXW dOnb4c5afffDJCS7rB/cb0Dl5egwEn8niRaj 9+8yqwOTIdN3SKsdg7A2A1RWH1TgTfZOYjfy npupvDrhDWbVjLX/aLnXrsA2yk88IL2m05Rx B3/Fzm9GU1YlZFHS6uVtOjqMaPajhkLMba/9 q63agMFZu54T1V4NWWQ4SQ2ovpcv5EGl3G9K BjRs+GWWiZ2WvgoQB5G9smX67/E/ezTEogi7 fV4OY2ttnG41zvenNlzJe17PndxogD+TpAf/ ITgeMnpEyFqQywEP ) ; key id = 23459 86400 RRSIG DNSKEY 3 2 86400 20090206022046 ( 20090107022046 23459 dyn-dnssec.com. BJysRgkzwLhUGXQ3sgt829Gshw3OqzXL1na9 eHN6De1wJUsIDBWv9CQ= ) 86400 RRSIG DNSKEY 3 2 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BGXe+ZH0rMOMZ6Ih1VvyTArTOMWJur/n0Tat zp3QwDLDAm+mz7foJdY= ) badzone.dyn-dnssec.com. 86400 IN NS ns1.dyn-dnssec.com. 86400 IN NS ns2.dyn-dnssec.com. 7200 NSEC child.dyn-dnssec.com. NS RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BAPVY3EDI3RNRGoT2lLTarcPIoYAMZ2BKyr2 vD0Zr//okNixA1kZilg= ) child.dyn-dnssec.com. 86400 IN NS ns1.dyn-dnssec.com. 86400 IN NS ns2.dyn-dnssec.com. 86400 DS 23459 3 1 ( CBB6FA5222BF3524AA98E0D19FA49A0786B8 AE12 ) 86400 DS 26077 3 1 ( E3209C1B7DB64FF86E789BF56B098A2F0840 1CBA ) 86400 RRSIG DS 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BJF8islsrrRb9Fp4OyQQwNK9plaaKdmzjYyg M1KexbK6bsrV4u+wnys= ) 7200 NSEC goodzone.dyn-dnssec.com. NS DS RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BCCUdthjt4XmFxLcNKAt6nxFAOpKwVRhBzf8 IdveBEqcMTR86CfcclQ= ) goodzone.dyn-dnssec.com. 86400 IN NS ns1.dyn-dnssec.com. 86400 IN NS ns2.dyn-dnssec.com. 86400 DS 23459 3 1 ( FF36EBAB68B220DA2536327AC5BB5371DE23 AD99 ) 86400 DS 29729 3 1 ( 2C0884A6541F4340E176F7BF6A52EF9E08D3 F4D2 ) 86400 RRSIG DS 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BD4gq8cNCjTscslE/blslAGuQXQBrAzRYpNf GmHzK8L1Qj/SRmEiSSg= ) 7200 NSEC ns1.dyn-dnssec.com. NS DS RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BDOIfqZqijdOzGP6UMw4WtcOoGSPntvtd03L 6RtJmnlKT6Sql2xBeMY= ) ns1.dyn-dnssec.com. 86400 IN A 216.146.46.9 86400 RRSIG A 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BCnRQX7nSwRWlVJmDs4L7/iV8NJGwDpQJiWy aoUPDBh++FbhaBWFfMo= ) 7200 NSEC ns2.dyn-dnssec.com. A RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BDzhQyIlAwCzOC10BIqi2SZs3bqgq0dLxyR2 oxYPckXUBnhlY7ASe5U= ) ns2.dyn-dnssec.com. 86400 IN A 216.146.46.9 86400 RRSIG A 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BAu4EKrtErfzVOuhVdvCLPeTcKAhs+4Oii9Z mf5/Dokqmv8x4gWo1p8= ) 7200 NSEC recursive.dyn-dnssec.com. A RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BMFHE7JmazwyeEDih7EBzPCH4qSVTPfE6WYt wCa1MbpL88EwOlIqMIU= ) recursive.dyn-dnssec.com. 86400 IN A 216.146.47.55 86400 RRSIG A 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BHiTFwgVCRE60JRd4jpfCHUGZ2Czsvb5eLN0 FKgtvV+2YbHBXiBZzXg= ) 86400 AAAA 2607:f590:0:ffff::71 86400 RRSIG AAAA 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BIVp2sl4XOu4aRfmruO7+H6Hrh0RgJwZCKq+ n+5xfHNuZPLCkpTKVk8= ) 7200 NSEC www.dyn-dnssec.com. A AAAA RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BKhNnAZu0QhcPrJAC/Z2ZgC4Hdruo+MsX2cf Ocb5SGUzDb1S6VBOQ2I= ) www.dyn-dnssec.com. 86400 IN CNAME dyn-dnssec.com. 86400 RRSIG CNAME 3 3 86400 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BL5Y+H+1tHa2yiB7+j1bA0B2G7C6gPRtnxzb UnkUSasNY/Pofon14t4= ) 7200 NSEC dyn-dnssec.com. CNAME RRSIG NSEC 7200 RRSIG NSEC 3 3 7200 20090206022046 ( 20090107022046 38267 dyn-dnssec.com. BDLLseUiBopsI4rHM1SR7+wlQFU/CBQE0EIu Ri6fTjxOdWJiZf8TTV4= )
Pre-signing child.dyn-dnssec.com zone file:
$TTL 24h $ORIGIN child.dyn-dnssec.com. @ 86400 IN SOA ns1.dyn-dnssec.com. hostmaster.dyn-dnssec.com. ( 2009010601 ; serial 3h ; refresh 15m ; update retry 3w ; expiry 2h ; minimum ) IN NS ns1.dyn-dnssec.com. IN NS ns2.dyn-dnssec.com. 3600 IN A 1.2.3.4 3600 IN AAAA 2607:f590:0:ffff::71 43200 IN MX 10 mx1.mailhop.org. 43200 IN MX 20 mx2.mailhop.org. 43200 IN TXT "This is a child zone of dyn-dnssec.com." $include Kchild.dyn-dnssec.com.+003+59330.key ; ZSK $include Kchild.dyn-dnssec.com.+003+26077.key ; KSK
Post-signing child.dyn-dnssec.com zone file:
; File written on Wed Jan 7 03:12:20 2009 ; dnssec_signzone version 9.3.4-P1.1 child.dyn-dnssec.com. 86400 IN SOA ns1.dyn-dnssec.com. hostmaster.dyn-dnssec.com. ( 2009010601 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 1814400 ; expire (3 weeks) 7200 ; minimum (2 hours) ) 86400 RRSIG SOA 3 3 86400 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BKqCJStudn/Dijee9qEULL9AqHOEBjnVWSc+ YvqS0+T8ui1V9Br6Y4c= ) 86400 NS ns1.dyn-dnssec.com. 86400 NS ns2.dyn-dnssec.com. 86400 RRSIG NS 3 3 86400 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BJQ/4loLFACzu9EHSxjgK4kimUKsQN7+2C76 jLa98ZbOTFedSFQdbg8= ) 3600 A 216.146.46.9 3600 RRSIG A 3 3 3600 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BJ40/SRxUPEW/JMo2vTj8FO0QuoUcbQwfCJW bt6HB2hI+/q+kvWrEWQ= ) 43200 MX 10 mx1.mailhop.org. 43200 MX 20 mx2.mailhop.org. 43200 RRSIG MX 3 3 43200 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BGu/G7rD/AP2cYCMtTGJBo98nBhwsWaEQ8dl 0NiJvUU4tDl0cZDkGPc= ) 43200 TXT "This is a child zone of dyn-dnssec.com." 43200 RRSIG TXT 3 3 43200 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BIwYRRm/MvKjTCcv/JN1uto7uiSNVnMlLqwv /MM4L7RNQZcGrJwXabg= ) 3600 AAAA 2607:f590:0:ffff::71 3600 RRSIG AAAA 3 3 3600 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BAoPF6vIFnaM2HLV12Z4QWfrc+QruHldL5oG 4//EKas6X6+EjPuRtwg= ) 7200 NSEC child.dyn-dnssec.com. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY 7200 RRSIG NSEC 3 3 7200 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BML4L6dCiXqJ+VGPFlsBovW4NTykT92M0DVZ OaSU3kIxxIAFAEqjKXw= ) 86400 DNSKEY 256 3 3 ( BNQq/vH03Edsxv6RCn393AaK9cDJxWXBbD4t 5sKJtEujLqmRKrmnF20Mbq5XAi8lUKzLsURG 6Ut4qB3FoXqhyhV4kJ+1jxT0nf09KBc7Vly8 aAStY/dEKE41BSl7EOO1h/plXblj/MGCQQm7 1oV1e+SZyWAHDBJfbO7kZq7A7PH8cjH0maCb J5EXvdDduotGVpnE9w1uVPUGFrTTe5mfglEI 8O7cr6zXuVBeXCr0knL9nSzZ+j80e+aJAtJU H8dMo7wey1TOrYQhgv5l6kWJZ6sdYs4AvmGm voi+H3GgsD3KOh5fmfbs/NVqwW+0zXR9irYB 6DdhlhpE3G1eyntmD5jY3L9Rok1LGcvOfHTe KsEaovjKrL+XHJKqFCR0eyd6KeQoyWx1hZZE tm+wb0BK8SUO1ihm ) ; key id = 59330 86400 DNSKEY 257 3 3 ( BNdInuj7isPH2chrcmhCl4j9HIgVtgJxLiAv LY9FTpmmI90stierLYBZNNnM8R2nnpoBZ8rH NxHjYHihruhjGuAJNyiS2Vhe/f04A/X2GPvk IS0uSdvC/u7QtmfcnGBE6WM7V6TBqS3w51ii 1YoN09ToLhnVSJhLCxldiuDGXG37UBPZpzEN l8OBAU6jEVJUtKIKer25ewMUSNElpsuYknRP IkVollJjqyhFBJi9prq7nyJi7nUKI512E9Wi +rNCKNc4HDQ/2lJdfFjcEDb4Rs6srstlWN+v UzIy5V+rf7es1Yl0WvikLdimr2ylyKbQ2Rj2 x0cDzIgwcIubez4EY8yeDqR1nORIdwPwBYvA 5MLmsotXDiIZaSDcSycggp7Ab4QaGkSzSbPL Bs7X6J/R3uET0ddm ) ; key id = 26077 86400 RRSIG DNSKEY 3 3 86400 20090206021220 ( 20090107021220 23459 dyn-dnssec.com. BAsvyA544tFd7K2AgPjHt00FZ/H+NROfEvW2 52bPeF+71v78WyIqHIE= ) 86400 RRSIG DNSKEY 3 3 86400 20090206021220 ( 20090107021220 38267 dyn-dnssec.com. BCl5ZiMcs94ItTWHDALFFdyjmFQpVgGnHpV/ ShyUY1/aa86ry0hrx7M= )
© 1998-2010
Dynamic Network Services Inc. -
Legal Notices -
Privacy Policy -
Contacts
