Applying the chain of trust - BIND version 9.4

Edit online

Now that you have a secured root, you can secure the rest of your child zones. In this case, we are working to secure the zone abc.aus.century.com.

Follow these steps to secure your remaining child zones:

  1. Generate the key pairs using the dnssec-keygen command: 
    dnssec-keygen -a RSA -b 512 -r /usr/sbin/named -n ZONE abc.aus.century.com.
    The r flag specifies a random input file.
  2. Make a keyset by running the dnssec-makekeyset command: 
    dnssec-makekeyset -t 172800 Kabc.aus.century.com.+001+11515.key
    where Kabc.aus.century.com.+001+11515.key is your own public key.

    This creates a keyset file called keyset-abc.aus.century.com.

  3. Send this keyset file to the parent zone to get it signed. In this case, our parent zone is the secure root zone aus.century.com.
  4. The parent must sign the key using its private key. 
    dnssec-signkey keyset-abc.aus.century.com. Kaus.century.com.+001+03254.private
    This will generate a file called signedkey-abc.aus.century.com, and the parent will need to send this file back to the child zone.
  5. On the child name server for zone abc.aus.century.com, add $INCLUDE Kabc.aus.century.com.+001+11515.key to the plain zone file named.abc.data. Remember to place the signedkey-abc.aus.century.com file in the same location as the zone file named.abc.data. When the zone is signed in the following step, the program will know to include signedkey-abc.aus.century.com, which was received from the parent. 
    $TTL 3h    ;3 hour

@ IN    SOA     venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                1       ;serial
                3600    ;refresh
                600     ;retry
                3600000 ;expire
                86400   ;negative caching TTL
)
$INCLUDE Kabc.aus.century.com.+001+03254.key
  6. Sign the zone using the dnssec-signzone command: 
    dnssec-signzone -o abc.aus.century.com. named.abc.data
  7. Modify the named.conf file on the child zone abc.aus.century.com to use the new signed zone file (named.abc.data.signed). For example: 
    options {
        directory "/usr/local/domain";
};

zone "abc.aus.century.com" in {
        type master;
        file "named.abc.data.signed";
        allow-update{192.9.201.1;};
};
  8. Refresh the name server.

For information on troubleshooting, see Name resolution problems.