# dnssec-signzone -S -o <zone name> <zone file>
Microsoft
# dnssec-signzone -E pkcs11 -S -o <zone name> <zone file>
You don’t need to specify the key files here because ”smart signing” is activated with the
-S
parameter
which enables automatic search for key files. The signed domain zone file is now located in the
current folder.
5.1 ReSigning Domain Zones
Previously you have seen how to manually sign a domain zone. This also includes generating neces-
sary keys. These keys have to be periodically changed. Normally this will make manual intervention
necessary. BIND is also able to automatically resign domain zones. You can configure named to
dynamically re-sign zones or new records inserted via
nsupdate
. Therefore named requires access to
the private key unattended from user interaction. For PKCS#11 you have to provide the user pin of
the PKCS#11 slot to access private key. To get automatically access to the private key, configure the
configuration file
openssl.cnf
of OpenSSL
67
as shown below
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = utimaco123
The default location of the configuration file can be overridden by setting the environment variable
OPENSSL_CONF
. The pin has been entered during the initialization of the PKCS#11 slot. This will also
enable
dnssec-*
tools to work without user interaction which formerly had to enter user pin.
6
Linux - /opt/openssl-p11/ssl/openssl.cnf
7
Microsoft Windows - c:\usr\local\ssl\openssl.cnf
Page 15
Summary of Contents for Bind 9
Page 1: ...Integration Guide Bind 9 Linux 3 19 Microsoft Windows Server 2008...
Page 17: ...Page 17...
Page 18: ...Integration Guide Bind 9 Page 18...
Page 19: ...Page 19...
