One page howto for signing your DNS zone with DNSSEC
----------------------------------------------------

*** ON YOUR MASTER SERVER ***

1. Change to the directory where the zone resides, normally

	First, verify that DNSSEC is enabled in /etc/namedb/named.conf

	dnssec-enable yes;

	Find the definition for your zone ("MYTLD"), and modify it so it looks like
	this:

zone "MYTLD" {
        file "/etc/namedb/master/MYTLD";
        type master;
        allow-transfer { key mydomain-key; };   

        key-directory "/etc/namedb/keys";		// <--- Add this
        auto-dnssec maintain;					// <--- Add this
        update-policy local;					// <--- Add this
        // dnssec-secure-to-insecure yes;		// <--- Add this
};

	Save and exit, and now reconfig the nameserver

	# rndc reconfig

	Create a directory for the keys:

	# mkdir /etc/namedb/keys
	# chown bind /etc/namedb/keys

	Give ownership of the /etc/namedb/master directory so BIND can sign
	your zone and write the file:

	# chown -R bind /etc/namedb/master

	Then go to the keys directory

    # cd /etc/namedb/keys


2. Generate first key pair (Zone Signing Key)

    # dnssec-keygen mytld

	(t will output something like:
	Generating key pair......................+++++ + ....
	Kmytld.+005+43116)

3. Generate second key pair (Key Signing Key)

    # dnssec-keygen -f KSK mytld
    Kmytld.+005+52159

	(once again, some output will show)

4. Let's look at the keys:

    # ls -l Kmytld*
	-rw-r--r--  1 root  wheel   591 Feb 18 15:52 Kmytld.+005+32044.key
	-rw-------  1 root  wheel  1774 Feb 18 15:52 Kmytld.+005+32044.private
	-rw-r--r--  1 root  wheel   417 Feb 18 15:52 Kmytld.+005+64860.key
	-rw-------  1 root  wheel  1010 Feb 18 15:52 Kmytld.+005+64860.private

	Make the keys readable by BIND:

	# chgrp bind *key
	# chmod g+r *key

5. We're ready to sign!

    # rndc sign mytld

	Take a look at the /etc/namedb/log/general log:

	# tail -10 /etc/namedb/log/general

18-Feb-2011 15:57:41.168 set up managed keys zone for view _default, file 'managed-keys.bind'
18-Feb-2011 15:57:41.184 reloading configuration succeeded
18-Feb-2011 15:57:41.193 any newly configured zones are now loaded
18-Feb-2011 15:57:43.666 received control channel command 'sign mytlf'
18-Feb-2011 15:57:43.668 zone mytlf/IN: reconfiguring zone keys
18-Feb-2011 15:57:43.693 zone mytlf/IN: next key event: 19-Feb-2011 03:57:43.693

6. Take a look at the signed zone:

	# cd /etc/namedb/master
	# ls -l mytld*

	Notice the ".jnl" file:

	-rw-r--r--  1 bind  wheel   535 Feb 18 14:22 mytld
	-rw-r--r--  1 bind  wheel  3473 Feb 18 15:57 mytld.jnl

	The zone is now DYNAMICALLY managed by bind.

	If you want to make changes, you either need to:

	a) freeze the zone, edit, thaw:
	
		# rndc freeze mytld
		# vi ...   // remember the serial!
		# rndc thaw mytld

	b) use nsupdate

		# nsupdate -l
		> update add mail.mytld. 300 A 1.2.3.4
		> send
		> quit

	# tail -10 /etc/namedb/log/general

18-Feb-2011 16:07:00.374 client 127.0.0.1#57195: updating zone 'mytld/IN': adding an RR at 'mail.phil' A


Now we need to include the DS in the parent zone !

	(DS = digest fingerprint of the Key Signing Key).

7. Generate a "DS" from your key:

	Find which key is the key signing key:

	# cd /etc/namedb/keys
	# more Kmytld*
	
	Look at which one has "IN DNSKEY 257".

	# dnssec-dsfromkey Kdsset-mytld.+005+32044 >dsset-mytld.

	REMEMBER the dot!

8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH:

	# scp dsset-mytld. adm@rootserv.ws.nsrc.org:

	The password is 'nsrcws'

9. Tell the instructor you have done so!

	The instructor will include the DS-set in the root and re-sign the zone

*** ON THE RESOLVER (performed by the instructor) ***


9. Grab the root key

	NOTE: This is only for the purpose of this lab - on the Internet,
	you would simply use "unbound-anchor" to download the real root.key,
	and set "auto-trust-anchor-file:" unbound.conf, and let unbound update
	the key when necessary.

	In this lab:

	# scp adm@10.10.0.203:root.key  /usr/local/etc/unbound/root.key

	Edit toe /usr/local/etc/unbound/unbound.conf file:

	Find the "trust-anchor-file:" line, and change it from:

	# trust-anchor-file: ""

	to

	trust-anchor-file: "/usr/local/etc/unbound/root.key"

10. Reload the nameserver

	# /usr/local/etc/rc.d/unbound restart

11. dig @localhost +dnssec mytld. SOA

	What do you notice ?
