Enabling DNSSEC for a Domain in Bind9

From Notes_Wiki

Home > Security tips > Enabling DNSSEC for a Domain in Bind9

Installing and Configuring BIND9 with DNSSEC

1. Install BIND9 and DNS Utilities

At a terminal prompt, run the following command to install the bind9 package:

sudo apt install bind9

A useful package for testing and troubleshooting DNS issues is the dnsutils package. Very often these tools will be installed already, but to check and/or install dnsutils enter:

sudo apt install dnsutils

2. Set Up a Caching Nameserver

Uncomment and edit /etc/bind/named.conf.options to set the IP addresses of your ISP’s DNS servers:

Example configuration block:

forwarders {
    1.2.3.4;
    5.6.7.8;
};

3. Restart BIND9 Service

To enable the new configuration, restart the DNS server:

sudo systemctl restart bind9.service

4. Create Forward Zone File

To add a DNS zone to BIND9, first edit /etc/bind/named.conf.local:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};

5. Create the Zone File

Use an existing zone file as a template to create /etc/bind/db.example.com:

mkdir /etc/bind/zones
chown -R root:bind /etc/bind/zones/
sudo cp /etc/bind/db.local /etc/bind/zones/db.example.com

Edit /etc/bind/zones/db.example.com and make the following changes: - Replace localhost. with the FQDN of your server (with a trailing dot). - Replace 127.0.0.1 with the nameserver’s IP address. - Replace root.localhost with a valid email address, using a dot instead of @ (with a trailing dot). - Update the comment to indicate the correct domain.

Example zone configuration:

;
; BIND data file for example.com
;
$TTL    604800
@       IN      SOA     example.com. root.example.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

@       IN      NS      ns.example.com.
@       IN      A       192.168.1.10
@       IN      AAAA    ::1
ns      IN      A       192.168.1.10

6. Restart BIND9 After Changes

sudo systemctl restart bind9.service

Enabling DNSSEC on Your Own DNS Server

Step 1: Generate DNSSEC Keys

- Zone Signing Key (ZSK): Signs all zone records. - Key Signing Key (KSK): Signs the DNSKEY record set.

Example commands (run in your zone directory):

dnssec-keygen -a RSASHA256 -b 2048 -n ZONE yourdomain.com
dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE yourdomain.com

Step 2: Add Public Keys to Your Zone File

Insert $INCLUDE statements for the ``.key`` files after the SOA and NS records in your zone file:

$INCLUDE Kyourdomain.com.+008+12345.key ; KSK
$INCLUDE Kyourdomain.com.+008+67890.key ; ZSK

Step 3: Sign the Zone

Use the dnssec-signzone command:

dnssec-signzone -o yourdomain.com -k Kyourdomain.com.+008+12345 yourdomain.com.zone Kyourdomain.com.+008+67890

This creates a signed zone file (e.g., yourdomain.com.zone.signed).

Step 4: Update DNS Server Configuration

Point your DNS server to the signed zone file:

zone "yourdomain.com" {
    type master;
    file "/etc/bind/yourdomain.com.zone.signed";
};

Reload or restart your DNS server after the update.

Verifying DNSSEC is Enabled

To check for DNSSEC signatures, run:

dig +dnssec yourdomain.com

Look for RRSIG records in the answer section.

Alternatively, you can use online tools such as: - DNSViz - Verisign DNSSEC Analyzer

to confirm DNSSEC is active.

How to Validate DNSSEC for a Domain

DNSSEC validation does not happen only by looking at `dig +dnssec` output. The validation is performed by the DNS resolver using a chain of trust. Below are the steps to validate DNSSEC for a domain (example: gbb.co.in).

1. Basic Query with dig

Run:

dig +dnssec gbb.co.in

This shows the DNS records and their signatures (RRSIG). Check for the `ad` flag in the response:

;; flags: qr rd ra ad;

- ad = Authenticated Data → means the resolver already validated DNSSEC. - If validation fails, the response will usually be `SERVFAIL`.

2. Query Against a Public Validating Resolver

Use a resolver that performs DNSSEC validation (e.g., Google 8.8.8.8 or Cloudflare 1.1.1.1):

dig +dnssec gbb.co.in @1.1.1.1
dig +dnssec gbb.co.in @8.8.8.8

If DNSSEC is broken, these resolvers will return `SERVFAIL`.

3. Bypass Validation with CD Flag

To see the raw data without validation:

dig +dnssec +cdflag gbb.co.in

This disables DNSSEC validation so you can compare results.

4. Use delv for Direct Validation

delv gbb.co.in

`delv` directly shows whether DNSSEC validation passed or failed.

5. How Validation Works Internally

  1. Domain owner signs the DNS records → (RRSIG + DNSKEY).
  2. Parent zone publishes DS record (hash of child DNSKEY).
  3. Resolver checks DNSKEY against DS record at parent.
  4. This continues up the chain:
  - gbb.co.in.co.in.inroot  
  1. The root trust anchor (root key) is pre-installed in all validating resolvers.
  This is similar to browsers trusting root CA certificates in HTTPS.  

Summary

  1. `dig +dnssec` shows records + signatures, not validation status.
  2. The ad flag confirms validation success.
  3. `SERVFAIL` indicates DNSSEC validation failure.
  4. The trust is established through the DNSSEC chain of trust, starting from the root key.


Home > Security tips > Enabling DNSSEC for a Domain in Bind9