[nsd-users] Updating my signed zonefiles
anandb at ripe.net
Mon Jul 8 22:33:26 UTC 2013
On 09/07/2013 00:23, opendaddy at hushmail.com wrote:
>> If you invoke `ldns-keygen` every time you change a zone file, you
>> are generating NEW keys at each run. I very much doubt you really want
>> that, as you'd have to submit your DS RRset to the parent zone each time!
> Cool, so say I need to edit /etc/nsd/mydomain.com at
> https://gist.github.com/kakekake89/5945810 -- all I need to do is "nsdc
> rebuild" afterwards and I'm all set?
Not quite. You haven't quite understood zone signing. Here's a summary:
1. You run ldns-keygen ONCE, to generate your ZSK and KSK.
2. You edit your zone, and then run ldns-signzone on it to sign it, and
load it into NSD.
3. Whenever you change your zone, you re-sign it with ldns-signzone, and
*then* run "nsdc rebuild".
More information about the nsd-users