[nsd-users] Updating my signed zonefiles

Anand Buddhdev anandb at ripe.net
Tue Jul 9 00:33:26 CEST 2013


On 09/07/2013 00:23, opendaddy at hushmail.com wrote:

>> If you invoke `ldns-keygen` every time you change a zone file, you 
>> are generating NEW keys at each run. I very much doubt you really want 
>> that, as you'd have to submit your DS RRset to the parent zone each time!
> 
> Cool, so say I need to edit /etc/nsd/mydomain.com at
> https://gist.github.com/kakekake89/5945810 -- all I need to do is "nsdc
> rebuild" afterwards and I'm all set?

Not quite. You haven't quite understood zone signing. Here's a summary:

1. You run ldns-keygen ONCE, to generate your ZSK and KSK.

2. You edit your zone, and then run ldns-signzone on it to sign it, and
load it into NSD.

3. Whenever you change your zone, you re-sign it with ldns-signzone, and
*then* run "nsdc rebuild".

-- 
Anand


More information about the nsd-users mailing list