--------------------------------------------------------------
RENOUVELEMENT KSK
--------------------------------------------------------------

1- Conncter vous a votre hidden



2- Supprimer toutes les cles :
	

	# cd /var/named/keys

	# rm -f *

	
# cd /var/named/zones
	
        # supprimer tous les fichiers SAUF MonTLD
	


3- Generer deux nouvelles clé ZSK et KSK

 
	# cd /var/named/keys

	# dnssec-keygen -r /dev/urandom -a RSASHA256 -b 2048 -n ZONE MonTLD

	# dnssec-keygen -r /dev/urandom -f KSK -a RSASHA256 -b 2048 -n ZONE MonTLD
	



4- Editer le fichier /etc/named.zones.conf :

	
zone "MonTLD" {
        file "/var/named/zones/MonTLD"; // <--- !!! REMOVE ".signed", if there
	
	                              
        type master;
        allow-transfer { key SLAV; };  
		      // <-- leave it if there
        key-directory "/var/named/keys"; 
                     // <--- Add this if not done
        auto-dnssec maintain;             
                    // <--- Add this if not yet done
        inline-signing yes;
                  // <--- Add this
        // update-policy local;  
                  // <--- Remove if it's there
	};



5- Editer le fichier de zone /var/named/zones/MonTLD et supprimer ces lignes :

 
   ....
	$include "/var/named/keys/KMonTLD.+008+51333.key"     ; ZSK
 
        $include "/var/named/keys/KMonTLD.+008+52159.key"     ; KSK

	$include "/var/named/keys/KMonTLD.+008+88888.key"     ; New KSK
	



6-  recharger votre config: 
	
	
     rndc reconfig
	rndc reload

	
    # dig MonTLD dnskey +multi @0


    # cd /var/named/zones/

    # ls -l

...

       -rw-r--r--  1 root  wheel   497 Sep 13 14:56 MYTLD
       
-rw-r--r--  1 root  wheel   497 Sep 12 09:49 MYTLD.backup
       
-rw-r--r--  1 bind  wheel   512 Sep 13 15:04 MYTLD.jbk
       
-rw-r--r--  1 bind  wheel  1331 Sep 13 15:04 MYTLD.signed
       
-rw-r--r--  1 bind  wheel  3581 Sep 13 15:04 MYTLD.signed.jnl
...



7- Verifier les logs 

	
# tail /var/log/named/general.log

13-Sep-2012 15:04:27.444 reloading configuration succeeded
13-Sep-2012 15:04:27.450 zone mytld/IN (unsigned): loaded serial 2012022301
13-Sep-2012 15:04:27.451 any newly configured zones are now loaded
13-Sep-2012 15:04:27.471 zone mytld/IN (signed): loaded serial 2012022301
13-Sep-2012 15:04:27.493 zone mytld/IN (signed): receive_secure_serial: unchanged
13-Sep-2012 15:04:27.501 zone mytld/IN (signed): reconfiguring zone keys
13-Sep-2012 15:04:27.544 zone mytld/IN (signed): next key event: 13-Sep-2012 16:04:27.501