Setting up DNSSEC in bind9

Install the bind9 packages.

Make sure it’s enabled in named.conf.options:
dnssec-validation auto;
dnssec-lookaside auto; # Need to look up what this one is

Generate the keys (pick an appropriate algorithm; today (22 Mar 2021),
ECDSAP384SHA384 seems to be the “ideal”):

dnssec-keygen -a ECDSAP384SHA384 -b 4096 -n ZONE
dnssec-keygen -f KSK -a ECDSAP384SHA384 -b 4096 -n ZONE

Put the keys in the same location as your zone files (the “directory” defined in named.conf).

Add the keys to your zone file (don’t forget to increase the serial in the zone). e.g.:


Sign the zone. The $( ) command after -3 generates a random 16 character salt. I used urandom, but if you have enough entropy (or use haveged), /dev/random is more random. The command is all on one line.

dnssec-signzone -3 $(head -c 1000 /dev/urandom | sha512sum | cut -b 1-16) -A -N INCREMENT -o -t

Once you have the signed zone, change your named.conf zone definition to load the signed one:

zone "" IN {
    file "";
    type master;
    allow-transfer {

Reload/restart named.

There will be a file created called “” (or whatever your domain is)
It will be in the format (all one line): IN DS 34186 14 2 E0A1572A73EF96A8C507747B982A56EAC2A45C8C551F0F83C4EBF90A 94ACB9A6

Go to your registrar’s DNSSEC settings and put in the values (using this as an example):

Key Tag: 34186
Algorithm: 14
Digest type: 2
Digest: E0A1572A73EF96A8C507747B982A56EAC2A45C8C551F0F83C4EBF90A94ACB9A6 # Remove the space

How and where this information is entered is entirely dependent on your registrar. I use GoDaddy, and it’s very easy.

Log in, “Manage Domain”, choose the domain you want to update, scroll down to Additional Settings, “Manage DNS”, under Advanced Features click DNSSEC, add the information.

Validate your DNS:

Leave a Comment