Title: Deploying dnssec with bind 9.8.0
Date: 2013-03-01 15:09

Good news : BIND is now able to automagically manage your keys! No more
hackish cron stuffs, no mode need to use dnssec-tools.

Quick walkthrough
=================

Keys generation
---------------

    :::bash
    cd /etc/bind/dustri.org/
    dnssec-keygen -f KSK -a RSASHA256 -b 2048 dustri.org
    dnssec-keygen dustri.org

Edit your configuration
-----------------------

    :::bash
    vim /etc/bind/named.conf
    options {
    [...]
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
    }
    zone "dustri.org"{
        type master;
        file "/etc/bind/dustri.org/db.dustri.org";
        key-directory "/etc/bind/dustri.org/";
        notify yes;
        update-policy local;
        auto-dnssec maintain;
        [...]
    };

Conclusion
==========

That's it, you've deployed DNSSEC, and BIND will manage your keys for
you.
You can now push ([here][] if you're (like me) at OVH.) your key to
your registrar to get it signed, and check that everything is fine
[here][1].

  [here]: http://guides.ovh.com/dnssec
  [1]: http://dnssec-debugger.verisignlabs.com/dustri.org