bash
3 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
#!/usr/bin/env bash
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -n ZONE example.com
dnssec-signzone -A -3 $(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1) -N increment -o example.com db.example.com
1 file · bash
Explain with highlit
DNSSEC is not universal, but where it is available it closes an integrity gap that attackers still exploit. I keep the zone-signing workflow documented, monitor expiry on keys, and make sure operational ownership is clear. Security controls that nobody owns decay quickly.
Share this code
Here's the card — post it anywhere.