Notes on switching a zone to its DNSSEC-signed version ------------------------------------------------------ ($Id: DLV-NOTES,v 1.2 2010/10/15 13:41:35 wytze Exp $) 1. Edit /etc/nsd/nsd.conf and change the zonefile: from "unsigned/cacert.xxx" to "signed/cacert.xxx" 2. Load the signed zone file into the name server: sudo service nsd rebuild sudo service nsd reload 3. Add the dnskey for the zone to dlv.isc.org via their web interface (you need to setup a free account for this) The required dnskey record can be obtained through: sudo ods-ksmutil key export --zone cacert.xxx --keystate=ready 4. dlv.isc.org will instruct you to add a dlv txt record to the zone file for validation. Do this in /etc/nsd/unsigned/cacert.xxx and don't forget to update the serial in the SOA record. 5. Force a re-sign of the cacert.xxx zone with: sudo ods-signer sign cacert.xxx OpenDNSSEC will take care of propagating the updated zone file to nsd. 6. Go back to dlv.isc.org web interface and force a re-verification, which should succeed now. 7. DLV records for cacert.xxx can be inspected now with dig cacert.xxx.dlv.isc.org any 8. Indicate that DS record is published by dlv.isc.org: sudo ods-ksmutil key ds-seen --zone cacert.xxx --keytag XXXXX 9. For completeness, verify that all our secondary name servers are carrying the current information, by checking the output of: host -C cacert.xxx NB: "xxx" can be "com", "org" or "net" in the above