I'm configuring a Master DNS server on RHEL 6.8 with BIND 9.8.2. BIND is being configured to operate chrooted in
/var/named/chroot directory, so all the files and directories below are prepended (actually reside) within
/var/named/chroot. I have one Master (authoritative) and one Slave server (recursive). I need to configure automatic key signing so the zones data files (/var/named/slaves/db.*) are resigned automatically. Ten (10) zone files are located in the
/var/named/slaves/ directory.
Where in the (chrooted) directory tree I should execute the dnssec-keygen steps for the ten zone data files, and where *should* the DNSSEC keys reside in the system? The system I'm deploying currently has the /etc/keys/ directory where my colleague believes I should put the DNSSEC keys, but I don't yet know if DNSSEC will support the keys located in
/etc/keys/. If I place the DNSSEC keys inside a file in the
etc/keys/ directory separate from the zone data in the
/var/named/slaves directory, can I configure DNSSEC automatic zone resigning to function?
I scanned through the BIND 9.8.2 Administrators Reference Manual
ftp://ftp.isc.org/isc/bind9/9.8.2/doc/arm/Bv9ARM.pdf and it gives the example below for a zone statement but doesn't declare if zone resigning will function with the
key-directory directory as "/etc/keys/dnssec-keys/db.<zone>" or similar:
Code:
zone example.net {
type master;
update-policy local;
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net'
};
Any help/feedback is greatly appreciated!