Managing DNSSEC signed zone files

The following zone files are currently being managed with the dns.git repository hosted on puppetmaster01-back at /git/dns.git.


Updating DNS Zone files

Updates to the following zone files must be processed as follow:

  1. Login to Make sure to read these instructions first.

  2. git clone /srv/dns
  3. Do your modifications on dns/master/ (No need to bump the S/N for the zone, do-domains will do that for us automatically)

  4. Fix your path: export PATH="$PATH:/usr/sbin"

  5. Run the do-domains script at the toplevel of the dns git module

  6. Commit to git by following the on-screen instructions.
  7. ansible-playbook -i inventory/ral3_rhel8 --limit nsd playbooks/ral3_rhel8.yml

Adding new ZONE files

  1. Login to

  2. cd /srv/dnssec-keys
  3. copy the zone file you want to create a key for on CWD
  4. Run /usr/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE $zone_file_name ; /usr/sbin/dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK $zone_file_name
  5. Edit the zone you just created and add the contents of the .key files to the bottom of the zone. (i.e cat K$zone_file_name*.key >> $zone_file_name)

  6. Add the new zone file on signed_zones on the do-domains script.

  7. Commit everything to the DNS tree, push your changes.
  8. Append the domain to and

  9. Push your changes to Ansible.
  10. ansible-playbook -i inventory/ral3_rhel8 --limit nsd playbooks/ral3_rhel8.yml

Verify if the domain has DNSSEC enabled

  1. dig . DNSKEY | grep -Ev '^($|;)' > root.keys

  2. dig +sigchase +trusted-key=./root.keys A | cat -n

Adding and verifying SSHFP entries

  1. Run the following command on the target machine: ssh-keygen -r $(hostname --fqdn) -f /etc/ssh/

  2. Copy the output under the SSHFP area of the target DNS zone file.

  3. Follow the steps outlined on the Updating DNS Zone files how to above to process the update.

  4. Verify the SSHFP entry with either dig SSHFP $ or with ssh -oVerifyHostKeyDNS=yes -v $

Infrastructure/SOP/DNSSECZoneUpdates (last edited 2022-02-22 13:40:00 by AndreaVeri)