home | list info | list archive | date index | thread index

[OCLUG-Tech] DNSSEC tools - zone key rollover ?

I am trying to bring up DNSSEC on my domains, served by bind 9.10.3 on Ubuntu 16.04. I already have two secure zones validated by http://dnssec-debugger.verisignlabs.com and dnsviz.net

Now I need to get rollover working before expiry :-)

I secured the zones using zonesigner, and I understand rollerd is used to rotate the keys. But the documentation that I've found is a little unclear. I understand there may be patent encumbrances behind key rotation, which is maybe part of the problem?

Does anyone have this working that could describe your working key rotation in detail? I think it could be as simple as a cron entry? But I'm not sure, and not sure about the 'best' key rotation of the two protocols.

Or maybe there is great documentation out there I missed in my search?

Or maybe you want to convince me to use another DNSSEC tool, and can point me at great docs for it?

FYI, my knowledge base is this. I've run authoritative and slave BIND servers for years, with tsigs. I've also been generating my own 509 certs for http and SMTP, and recently trying out the free letsencrypt.com certificates and EFF certbot updater (which seems to work quite well).

Thank you!