- Install tinydns-sign and patched tinydns/axfrdns.
- Generate key(s). See the tinydns-sign
manpage for details.
It is common practice to have a "Key signing key" (KSK, with flags=257) and a "Zone signing key" (ZSK, with flags=256). The KSK is used only for signing the DNSKEY RRs, the ZSK is used for signing the rest. The KSK is more difficult to change because it is used in the delegating domain's referral, therefore it usually has more bits. The ZSK is used for signing all the other records, and is therefore usually shorter and changed more frequently.
You should keep the keys in a safe place (outside the tinydns ROOT), e. g. in a directory "keys" located above the ROOT.
- Add the K pseudo records from the key files to your tinydns-data file. Also, add a P pseudo record for each signed zone.
- Adapt the Makefile to pipe your data file through tinydns-sign
before running tinydns-data, e. g.
data.cdb: data update tinydns-sign ../keys/* <data >data.tmp mv data.tmp data tinydns-data rm -f update update: touch update
- Run make.
- Set up a cronjob to periodically re-sign your data file before the signatures expire.
- Test! For example:
- Read RFC-6781 to get a
feeling for what is explicitly not called
"Best Current Practices". :-)
In particular, think about key lifetime and how to do a key rollover.
- Sacrifice a few small ani^H^H^Htofus to a deity of your choice. Get yourself a drink for really tough guys, like prune juice.
- If you feel brave, contact your upstream delegator to publish DS records
for your zone.
Note that this is a really good way to cut yourself off from the rest of the internet. You've been warned, so don't blame me.