source RPM of dnssec-tools is a bit old , so I installed the latest dnssec-tools from source code.
[ procedure ]
download source code
install perl modules that are needed for dnssec-tools
compile and install dnssec-tools
[ logs ]
download dnssec-tools-1.9.tar.gz
install perl modules via CPAN that are needed for dnssec-tools ( mandatory )
# perl -MCPAN -e shell cpan> install Net::DNS Net::DNS::SEC |
install perl modules ( optional )
cpan> install Text::Wrap Date::Parse ExtUtils::MakeMaker MailTools Test::Builder String::Diff GraphViz Gtk2 QWizard Getopt::GUI::Long Tk Text::Diff |
download and install graphviz ( optional )
# wget http://pkgs.repoforge.org/graphviz/graphviz-2.22.0-4.el5.rf.x86_64.rpm # rpm -ivh graphviz-2.22.0-4.el5.rf.x86_64.rpm |
compile dnssec-tools
# tar xzvf dnssec-tools-1.9.tar.gz # cd dnssec-tools-1.9 # ./configure --with-ipv6 --with-nsec3 --------------------------------------------------------- DNSSEC-Tool Validator configuration summary: --------------------------------------------------------- system configuration directory : /usr/local/etc Validator configuration file: /usr/local/etc/dnssec-tools/dnsval.conf NSEC3 support : Yes DLV support : Yes IPv6 support : Yes Thread support : Yes Developer flags : libval resolver configuration : /usr/local/etc/dnssec-tools/resolv.conf libval root hints : /usr/local/etc/dnssec-tools/root.hints --------------------------------------------------------- # make # make install |
configuration file will be stored in /usr/local/etc/dnssec-tools directory.
# head -20 /usr/local/etc/dnssec-tools/dnssec-tools.conf # # DNSSEC-Tools Configuration # # # Settings for DNSSEC-Tools administration. # admin-email dnssec-tools@example.com # # Paths to needed programs. These may need adjusting for individual hosts. # keyarch /usr/bin/keyarch keygen /usr/local/sbin/dnssec-keygen rndc /usr/local/sbin/rndc zonecheck /usr/local/sbin/named-checkzone zonesign /usr/local/sbin/dnssec-signzone rollchk /usr/bin/rollchk zonesigner /usr/bin/zonesigner |
# zonesigner --algorithm RSASHA256 -genkeys -zone example.jp example.jp.db if zonesigner appears hung, strike keys until the program completes (see the "Entropy" section in the man page for details) Generating key pair............++++++ .........++++++ Generating key pair..++++++ ..++++++ Generating key pair......+++ ..............................................+++ Verifying the zone using the following algorithms: RSASHA256. Zone signing complete: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 1 revoked ZSKs: 1 active, 1 stand-by, 0 revoked zone signed successfully example.jp: KSK (cur) 26845 -b 2048 06/21/11 (signing-set-3000000000000000000000000) KSK (rev) 57805 -b 2048 06/21/11 (signing-set-3000000000000000000000) ZSK (cur) 28494 -b 1024 06/21/11 (signing-set-3000000000000000) ZSK (pub) 48498 -b 1024 06/21/11 (signing-set-3000000000000000000) zone will expire in 4 weeks, 2 days, 0 seconds |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.