... | ... | @@ -224,13 +224,13 @@ Kexample.net.+008+42231.private |
|
|
### Sign the zone as usual
|
|
|
|
|
|
The zone signing commences as usual, with only one small difference. Again, we
|
|
|
need to provide name of the OpenSSL engine using the `-E` command line option.
|
|
|
need to provide the name of the OpenSSL engine using the `-E` command line option.
|
|
|
|
|
|
```
|
|
|
dnssec-signzone -E pkcs11 -S -o example.net example.net
|
|
|
```
|
|
|
|
|
|
and the output should like the usual thing:
|
|
|
and the output should look like the usual thing:
|
|
|
|
|
|
```
|
|
|
Fetching example.net/RSASHA256/31729 (KSK) from key repository.
|
... | ... | @@ -242,4 +242,23 @@ Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked |
|
|
example.db.signed
|
|
|
```
|
|
|
|
|
|
### Sign the zone with `named`
|
|
|
|
|
|
The zone can also be signed automatically by `named`. Again, we need to provide the name of the OpenSSL engine using the `-E` command line option.
|
|
|
|
|
|
```
|
|
|
named -E pkcs11 -c named.conf
|
|
|
```
|
|
|
|
|
|
and the logs should have lines like:
|
|
|
|
|
|
```
|
|
|
Fetching example.net/RSASHA256/31729 (KSK) from key repository.
|
|
|
DNSKEY example.net/RSASHA256/31729 (KSK) is now published
|
|
|
DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active
|
|
|
Fetching example.net/RSASHA256/42231 (ZSK) from key repository.
|
|
|
DNSKEY example.net/RSASHA256/42231 (ZSK) is now published
|
|
|
DNSKEY example.net/RSA256SHA256/42231 (ZSK) is now active
|
|
|
```
|
|
|
|
|
|
🎉 |