Revision [2536]
This is an old revision of dnssecroot made by JulianDemarchi on 2011-07-28 12:33:52.
Purpose
Sign the OpenNIC root zoneTasks
- Modify the makeroot.sh script to output DNSSEC into the root zone
- Modify the makeroot.sh script to suck in DS records for OpenNIC TLDs
- Modify the makeroot.sh script to sign the root zone
- Create the ZSK and KSK OpenNIC keys
- Create a maintenance policy for key refreshing(key-rolling policy)
- Create a method to sync DS keys in a secure way
Root Zone Script Changes
The makeroot.sh script will need to be modified a little bit to support signing a root zone. Currently the script will output a DNSSEC zone but not output this into the actual zone created. This will first need to be enabled. Next the script will need to know how to inject DS records for signing. Then finally the script will need to sign the end zone. The first and last changes are straight forward as the script was built with forethought.
Injecting the DS records into the zone is also easy, but it is complicated by the fact we need to plan where they will live on ns0. Basically a TLD will send their dsset-* file to ns0 for verification and pending injection into the root zone.
