Setting up DNSSEC in bind9

Install the bind9 packages.

Make sure it’s enabled in named.conf.options:
dnssec-validation auto;
dnssec-lookaside auto; # Need to look up what this one is

Generate the keys (pick an appropriate algorithm; today (22 Mar 2021),
ECDSAP384SHA384 seems to be the “ideal”):

dnssec-keygen -a ECDSAP384SHA384 -b 4096 -n ZONE technomancer.com
dnssec-keygen -f KSK -a ECDSAP384SHA384 -b 4096 -n ZONE technomancer.com

Put the keys in the same location as your zone files (the “directory” defined in named.conf).

Add the keys to your zone file (don’t forget to increase the serial in the zone). e.g.:

$INCLUDE Ktechnomancer.com.+012+34567.key
$INCLUDE Ktechnomancer.com.+098+76543.key

Sign the zone. The $( ) command after -3 generates a random 16 character salt. I used urandom, but if you have enough entropy (or use haveged), /dev/random is more random. The command is all on one line.

If you are using dynamic hostnames, you may end up with a .jnl journal file. Before you edit and sign the zone and restart, run the command rndc sync -clean to commit the journal into the master file. Also, before you edit, you can run rndc freeze to prevent dynamic updates while you are working on the files. rndc thaw will un-freeze the zone to allow dynamic updates to happen again as normal.

dnssec-signzone -3 $(head -c 1000 /dev/urandom | sha512sum | cut -b 1-16) -A -N INCREMENT -o technomancer.com -t technomancer.com.zone

Once you have the signed zone, change your named.conf zone definition to load the signed one:

zone "technomancer.com" IN {
    file "technomancer.com.zone.signed";
    type master;
    allow-transfer {
        ...
    };
};

Reload/restart named.

There will be a file created called “dsset-technomancer.com.” (or whatever your domain is)
It will be in the format (all one line):

technomancer.com. IN DS 34186 14 2 E0A1572A73EF96A8C507747B982A56EAC2A45C8C551F0F83C4EBF90A 94ACB9A6

Go to your registrar’s DNSSEC settings and put in the values (using this as an example):

Key Tag: 34186
Algorithm: 14
Digest type: 2
Digest: E0A1572A73EF96A8C507747B982A56EAC2A45C8C551F0F83C4EBF90A94ACB9A6 # Remove the space

How and where this information is entered is entirely dependent on your registrar. I use GoDaddy, and it’s very easy.

Log in, “Manage Domain”, choose the domain you want to update, scroll down to Additional Settings, “Manage DNS”, under Advanced Features click DNSSEC, add the information.

Validate your DNS:
https://dnssec-analyzer.verisignlabs.com/
https://dnsviz.net/

Leave a Comment