Tag Archives: bind

Enabling DNSSEC on Bind

1. Enable DNSSEC

Update named.conf options section:

options {
 dnssec-enable yes;
 dnssec-validation yes;
};

Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:

managed-keys {
 # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
 # for current trust anchor information.
 # NOTE: This key is activated by setting "dnssec-validation auto;"
 # in named.conf.
 . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
  FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
  bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
  X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
  W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
  Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
  QxA+Uk1ihz0=";
};

2. Generate Keys

ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):

$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename

KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):

$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

3. Add keys to zonefile

; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key

4. Sign the Zone

$ dnssec-signzone zonefile
Output is zonefile.signed

5. Validate the zonefile

$ donuts zonefile.signed zonename

6. Publish the signed zone

Update named.conf with signed zonename file:

zone "zonename" {
 file "/etc/bind/zonename/zonefile.signed";
};

7. Testing

$ dig zonename SOA +dnssec +multiline