I am trying to bring up DNSSEC on my domains, served by bind 9.10.3 on
Ubuntu 16.04. I already have two secure zones validated by
http://dnssec-debugger.verisignlabs.com and dnsviz.net
Now I need to get rollover working before expiry :-)
I secured the zones using zonesigner, and I understand rollerd is used to
rotate the keys. But the documentation that I've found is a little
unclear. I understand there may be patent encumbrances behind key
rotation, which is maybe part of the problem?
Does anyone have this working that could describe your working key
rotation in detail? I think it could be as simple as a cron entry? But I'm
not sure, and not sure about the 'best' key rotation of the two protocols.
Or maybe there is great documentation out there I missed in my search?
Or maybe you want to convince me to use another DNSSEC tool, and can point
me at great docs for it?
FYI, my knowledge base is this. I've run authoritative and slave BIND
servers for years, with tsigs. I've also been generating my own 509 certs
for http and SMTP, and recently trying out the free letsencrypt.com
certificates and EFF certbot updater (which seems to work quite well).
Thank you!
Brett