[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
Michael A. Peters
mpeters at domblogger.net
Thu Feb 15 12:53:34 UTC 2018
On 02/14/2018 05:02 PM, Jasper Wallace wrote:
> When NSD serves a signed zone will it also re-sign it and rotate ZSK's as
> needed? Or do you have to use e.g. OpenDNSSEC to handle it?
NSD only serves the zone file. The entries in the zone file have to be
signed and uploaded to your authoritative name server.
Also, even though it is commonly done, you should NOT have your ksk /
zsk private keys on your authoritative nameserver.
You should have a signing machine that only has an ssh port open that
signs your zone files before sending them to NSD to be served.
If your signing keys are stolen then DNSSEC does not offer much
protection, so they should be heavily guarded.
More information about the nsd-users