I wrote a Makefile to take care of all the annoying work for me.
You should look at opendnssec, and industrial strength system, that manages the Key and Signing Policies (KASP), and key lifetimes. It uses PKCS#11 modules for key storage, which means you can read my doc for using a TPM as a HSM, or just use SoftHSM.
Generate a KSK (Key Signing Key). This is a key you keep secure, locked in a box somewhere, preferably offline.
/usr/sbin/dnssec-keygen \
-a RSASHA256 \
-b 2048 \
-f KSK \
-n ZONE \
-k ${key_directory} \
${ZONE_ORIGIN}
Also create a ZSK (Zone Signing Key). This is the key you use to sign the zone with. It will be signed with the KSK. This key should be rotated more often, and thus can be shorter (and thus not take up so much space in the DNS packet).
/usr/sbin/dnssec-keygen \
-a RSASHA256 \
-b 1024 \
-n ZONE \
-k ${key_directory} \
${ZONE_ORIGIN}
Now you have your keys, sign the zone:
/usr/sbin/dnssec-signzone \
-a \
-N unixtime \
-K ${key_directory} \
-d ${dskeys_directory} \
-o ${ZONE_ORIGIN} \
-S \
${ZONE_FILE}
You should end up with a file called ${ZONE_FILE}.signed, configure bind to
use this file instead of the original, sudo /usr/sbin/rndc reload
Wait until your signed zone has propergated to all your nameservers, verify
with dig +dnssec @ns1.${ZONE_ORIGIN} ${ZONE_ORIGIN} soa or equivilent.
Take the data from ${dskeys_directory}/dskey-${ZONE_ORIGIN}. and give it
to your parent zone for them to include.
IMPORTANT: Remember to resign your zones frequently (eg: from cron daily), the
RRSIG records contain an expiry time for the signature (it's in the format of
YYYYMMDDhhmmss, so it's easy to see). Don't let it expire. I have
make -B -C /etc/bind in an executable file in /etc/cron.daily.
You're now done.
You can put SSH FP records in your zone to complete the trust delegation all the way to your ssh server.
DANE would also be cool, but afaik no browsers currently support it. Boo.
index