How to easily enable automatic DNSSEC in BIND9

I find most of DNSSEC howto’s unnecessarilly complicated and inefficient. Here I am going to desribe how to enable DNSSEC in BIND9 using its native automatic signing that doesn’t require any extra scripting.

This manual requires the zone to be dynamic – it will not work with static zone.

Step 1 – create the zone keys

Create a new directory in named / bind config folder, for example /etc/bind/dnssec and change its owner to user who is running bind daemon.

Enter the folder and execute these 2 commands to create zone and record signing keypairs:

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE

Step 2 – configure zone

Now edit the zone configuration file and add 2 lines with key-directory and auto-dnssec, example of whole zone config follows:

    zone "" {
        type master;
        notify yes;
        file "/etc/bind/";
        key-directory "/etc/bind/dnssec";
        auto-dnssec maintain;

Now run named-checkconf && rndc reload. It’s almost done.

Step 3 – enable signing

Finally tell BIND to load the keys and sign your zone:

rndc loadkeys
rndc sign

Unless anything goes wrong (bind logs are your friend) you just enabled automatic zone signing, you can check your zone – it should contain signed records now. All new records will be automatically signed too.