How to sign your zones
======================

I wrote a [Makefile](DNSSEC.Makefile) to take care of all the annoying work for
me.


How to do it the Industrial Strength way
----------------------------------------

You should look at [opendnssec](http://www.opendnssec.org), and industrial
strength system, that manages the Key and Signing Policies (KASP), and key
lifetimes.  It uses PKCS#11 modules for key storage, which means you can read
my doc for using a TPM as a HSM, or just use SoftHSM.


How to do it the hard way
-------------------------

Generate a KSK (Key Signing Key).  This is a key you keep secure, locked in
a box somewhere, preferably offline.

     /usr/sbin/dnssec-keygen \
	-a RSASHA256        \
	-b 2048             \
	-f KSK              \
	-n ZONE             \
	-k ${key_directory} \
	${ZONE_ORIGIN}

Also create a ZSK (Zone Signing Key).  This is the key you use to sign the
zone with.  It will be signed with the KSK.  This key should be rotated
more often, and thus can be shorter (and thus not take up so much space
in the DNS packet).

     /usr/sbin/dnssec-keygen \
        -a RSASHA256         \
        -b 1024              \
        -n ZONE              \
        -k ${key_directory}  \
        ${ZONE_ORIGIN}

Now you have your keys, sign the zone:

      /usr/sbin/dnssec-signzone  \
         -a                     \
         -N unixtime            \
         -K ${key_directory}    \
         -d ${dskeys_directory} \
         -o ${ZONE_ORIGIN}      \
         -S                     \
         ${ZONE_FILE}

You should end up with a file called `${ZONE_FILE}.signed`, configure bind to
use this file instead of the original, `sudo /usr/sbin/rndc reload`

Wait until your signed zone has propergated to all your nameservers, verify
with `dig +dnssec @ns1.${ZONE_ORIGIN} ${ZONE_ORIGIN} soa` or equivilent.

Take the data from `${dskeys_directory}/dskey-${ZONE_ORIGIN}.` and give it
to your parent zone for them to include.

*IMPORTANT*: Remember to resign your zones frequently (eg: from cron daily), the
RRSIG records contain an expiry time for the signature (it's in the format of
YYYYMMDDhhmmss, so it's easy to see).  Don't let it expire.  I have
`make -B -C /etc/bind` in an executable file in /etc/cron.daily.

You're now done.

Extras
------

You can put [SSH FP records in your zone](sshfp) to complete the trust
delegation all the way to your ssh server.

DANE would also be cool, but afaik no browsers currently support it.  Boo.