Hello!
I see you have added some of the dnssec records to the forward zones. Is there a reason they were left out of the reverse zones? I tested this with version 2.22 that was downloaded fromt he store.
I don't recall if there was a particular reason. Perhaps just an oversight.
I pushed NicTool down the road towards DNSSEC, but there's still more path left to travel.
Are you actually using DNSSEC records? If so, how?
Currently, I am using DS records in a /32 ipv6 reverse zone that I host to. This allows me to delegate / maintain the full dnssec hierarchy without combining all of the reverse /40s into the /32.
In order to actually sign the zones, I feed the zones to opendnssec to allow it maintain the individual zone ZSK and KSK.
Steve
Log into mysql on your NicTool Server and run these queries:
USE nictool;
UPDATE resource_record_type SET reverse=1 WHERE name='DS';
That will enable DS records in rDNS zones.
I have also made that change in the source, so that new installs will have that enabled by default.
I have done that already. There are a couple of other updates that need to be done as well. One needs to update NicToolClient/htdocs/zone.cgi around line 1520 to allow the options for DS to be entered.
Other things that I had to change was to edit the nt-script.js in the function getDnssecAlorithms() so that I could add Algorithm 8 which is RSA/SHA-256 which is what they recommend for signing zone now.
Steve
Any chance I'll see a Pull Request for the changes on github?
Yes, you should see one now. I didn't have to update the javascript since you already had that updated in the head as compared to release 2.22.
Steve
merged.
Thanks,
Matt