1. Enable DNSSEC
Update named.conf options section:
options { dnssec-enable yes; dnssec-validation yes; };
Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:
managed-keys { # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml # for current trust anchor information. # NOTE: This key is activated by setting "dnssec-validation auto;" # in named.conf. . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };
2. Generate Keys
ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):
$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename |
KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):
$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename |
3. Add keys to zonefile
; Zone Signing Key $INCLUDE Kzonename.+001+11111.key ; Key Signing Key $INCLUDE Kzonename.+001+22222.key
4. Sign the Zone
$ dnssec-signzone zonefile Output is zonefile.signed |
5. Validate the zonefile
$ donuts zonefile.signed zonename |
6. Publish the signed zone
Update named.conf with signed zonename file:
zone "zonename" { file "/etc/bind/zonename/zonefile.signed"; };
7. Testing
$ dig zonename SOA +dnssec +multiline |