1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files,
SIGNED: All signed zone files,
ZSK: All ZSK keys,
KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK
2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils
3. Create ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd
ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.
/etc/nsd/nsd.conf to change the path for the signed zones:
5. Now use the
ldns-signzone command to sign
ssh.com.bd and to create a new file ready for DNSSEC queries.
sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
This will create a signed zone file under
nsd; now you have DNSEC for the zone
7. To have a complete implementation you need to upload your DS record to the parent. Following screenshot shows how you could add DS record in godaddy hosting.
8. Now test the DNSSEC with dig command. Pay attention to the ad in the flags. Following example for the domain apnictraining.net
dig @18.104.22.168 apnictraining.net +dnssec +multi
For Reverse Zone, most of the process is same. Only difference in add DS Record. for Reverse Zone we need to add it in RIR portal. In my case I add it in myAPNIC.
DNSVIZ is a good site to validate the DNSSEC. Following URL gives you the DNSSEC details for both Forward & Reverse Zone