[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

Michael A. Peters mpeters at domblogger.net
Thu Feb 15 12:53:34 UTC 2018

On 02/14/2018 05:02 PM, Jasper Wallace wrote:
> Hi,
> When NSD serves a signed zone will it also re-sign it and rotate ZSK's as
> needed? Or do you have to use e.g. OpenDNSSEC to handle it?

NSD only serves the zone file. The entries in the zone file have to be 
signed and uploaded to your authoritative name server.

Also, even though it is commonly done, you should NOT have your ksk / 
zsk private keys on your authoritative nameserver.

You should have a signing machine that only has an ssh port open that 
signs your zone files before sending them to NSD to be served.

If your signing keys are stolen then DNSSEC does not offer much 
protection, so they should be heavily guarded.

More information about the nsd-users mailing list