There is an interesting DNSSEC deployment statistic from ISC: Deploy 360. If you want to know how many domains are signed under new gTLDs, you can consult nTLDStats.
It’s recommented to use the MySQL backend for production use. I used SQLlite for my tests, because it was easier. When I wanted to go productive, I used the migration guide but found that the MySQL user / password could not be read from command line. I had to enter the MySQL root password in order to complete the migration.
For reference the commands I created DB and user with:
When you update the policy in the kasp.xml file, you want to issue the following command to update the changes in the OpenDNSSEC database:
ods-ksmutil update kasp If you want to force the changes to be applied, you can issue these commands:
ods-signer clear <zone>; ods-signer sign <zone> Be careful with this and read the hints in the OpenDNSSEC documentation before.
OpenDNSSEC contains a Nagios Plugin written in Ruby, that can be used to monitor a signed zone. The README file shows the usage.
According to my tests on Debian Wheezy the script can only be run with Ruby 1.8. So you install some packages first:
apt-get install ruby1.8 libdns-ruby1.8 libruby1.8 ruby-dnsruby rubygems
Make a quick check to see that everything is okay:
/home/user/dnssec_monitor.rb -z dnssec.cc –kskwarn 12 -n a.dnssecns.de` 6 : Making resolver for : a.
According to the OpenDNSSEC Zone Management wiki page you’ve to perform ods-signer sign example.com to get the zone resigned after changes. It’s vital, that you increase the SOA serial in the unsigned zone file. Otherwhise your nameserver might not be notified about the changed zone.