I find most of DNSSEC howto’s unnecessarilly complicated and inefficient. Here I am going to desribe how to enable DNSSEC in BIND9 using its native automatic signing that doesn’t require any extra scripting.
This manual requires the zone to be dynamic – it will not work with static zone.
Step 1 – create the zone keys
Create a new directory in named / bind config folder, for example /etc/bind/dnssec and change its owner to user who is running bind daemon.
Enter the folder and execute these 2 commands to create zone and record signing keypairs:
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.org
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.org
Step 2 – configure zone
Now edit the zone configuration file and add 2 lines with key-directory and auto-dnssec, example of whole zone config follows:
zone "bena.rocks" {
type master;
notify yes;
file "/etc/bind/db.bena.rocks.conf";
key-directory "/etc/bind/dnssec";
auto-dnssec maintain;
};
Now run named-checkconf && rndc reload. It’s almost done.
Step 3 – enable signing
Finally tell BIND to load the keys and sign your zone:
rndc loadkeys example.org
rndc sign example.org
Unless anything goes wrong (bind logs are your friend) you just enabled automatic zone signing, you can check your zone – it should contain signed records now. All new records will be automatically signed too.
No Comments
You can leave the first : )