I run the following command for dnssec on debian 8. But I get error:
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o myzone.local -t myzone.local.zone
dnssec-signzone: warning: Kmyzone.local.+007+16956.key:5: no TTL specified; zone rejected
dnssec-signzone: fatal: failed loading zone from 'myzone.local.zone': no ttl
I assume you also got stuck on the Digital Ocean tutorial.
So if you created your KSK and ZSK with the dnssec-keygen, you should have used the -L flag to set the TTL in the files, like this:
# dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
# dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
This argument might not have been required (defaulted to 3600?) when the tutorial was written.
If you've already generated the files, I think you can just edit them (both named Kexample.com.*.key). Just add "3600" before "IN" on the line with the record. So from:
Khexample.com.+008+27593.key:example.com. IN DNSKEY 256 3 8 <key>
to:
Khexample.com.+008+27593.key:example.com. 3600 IN DNSKEY 256 3 8 <key>
I'm not sure if 3600 is a good value or not, but that's what the tutorial author recommended. My other source was man dnssec-keygen.
