Enabling DNSSEC for a Domain in Bind9
Home > Security tips > Enabling DNSSEC for a Domain in Bind9
Installing and Configuring BIND9 with DNSSEC
1. Install BIND9 and DNS Utilities
At a terminal prompt, run the following command to install the bind9 package:
sudo apt install bind9
A useful package for testing and troubleshooting DNS issues is the dnsutils package. Very often these tools will be installed already, but to check and/or install dnsutils enter:
sudo apt install dnsutils
2. Set Up a Caching Nameserver
Uncomment and edit /etc/bind/named.conf.options to set the IP addresses of your ISP’s DNS servers:
Example configuration block:
forwarders { 1.2.3.4; 5.6.7.8; };
3. Restart BIND9 Service
To enable the new configuration, restart the DNS server:
sudo systemctl restart bind9.service
4. Create Forward Zone File
To add a DNS zone to BIND9, first edit /etc/bind/named.conf.local:
zone "example.com" { type master; file "/etc/bind/db.example.com"; };
5. Create the Zone File
Use an existing zone file as a template to create /etc/bind/db.example.com:
mkdir /etc/bind/zones chown -R root:bind /etc/bind/zones/ sudo cp /etc/bind/db.local /etc/bind/zones/db.example.com
Edit /etc/bind/zones/db.example.com and make the following changes: - Replace localhost. with the FQDN of your server (with a trailing dot). - Replace 127.0.0.1 with the nameserver’s IP address. - Replace root.localhost with a valid email address, using a dot instead of @ (with a trailing dot). - Update the comment to indicate the correct domain.
Example zone configuration:
; ; BIND data file for example.com ; $TTL 604800 @ IN SOA example.com. root.example.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS ns.example.com. @ IN A 192.168.1.10 @ IN AAAA ::1 ns IN A 192.168.1.10
6. Restart BIND9 After Changes
sudo systemctl restart bind9.service
Enabling DNSSEC on Your Own DNS Server
Step 1: Generate DNSSEC Keys
- Zone Signing Key (ZSK): Signs all zone records. - Key Signing Key (KSK): Signs the DNSKEY record set.
Example commands (run in your zone directory):
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE yourdomain.com dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE yourdomain.com
Step 2: Add Public Keys to Your Zone File
Insert $INCLUDE statements for the ``.key`` files after the SOA and NS records in your zone file:
$INCLUDE Kyourdomain.com.+008+12345.key ; KSK $INCLUDE Kyourdomain.com.+008+67890.key ; ZSK
Step 3: Sign the Zone
Use the dnssec-signzone command:
dnssec-signzone -o yourdomain.com -k Kyourdomain.com.+008+12345 yourdomain.com.zone Kyourdomain.com.+008+67890
This creates a signed zone file (e.g., yourdomain.com.zone.signed).
Step 4: Update DNS Server Configuration
Point your DNS server to the signed zone file:
zone "yourdomain.com" { type master; file "/etc/bind/yourdomain.com.zone.signed"; };
Reload or restart your DNS server after the update.
Verifying DNSSEC is Enabled
To check for DNSSEC signatures, run:
dig +dnssec yourdomain.com
Look for RRSIG records in the answer section.
Alternatively, you can use online tools such as: - DNSViz - Verisign DNSSEC Analyzer
to confirm DNSSEC is active.
How to Validate DNSSEC for a Domain
DNSSEC validation does not happen only by looking at `dig +dnssec` output. The validation is performed by the DNS resolver using a chain of trust. Below are the steps to validate DNSSEC for a domain (example: gbb.co.in).
1. Basic Query with dig
Run:
dig +dnssec gbb.co.in
This shows the DNS records and their signatures (RRSIG). Check for the `ad` flag in the response:
;; flags: qr rd ra ad;
- ad = Authenticated Data → means the resolver already validated DNSSEC. - If validation fails, the response will usually be `SERVFAIL`.
2. Query Against a Public Validating Resolver
Use a resolver that performs DNSSEC validation (e.g., Google 8.8.8.8 or Cloudflare 1.1.1.1):
dig +dnssec gbb.co.in @1.1.1.1 dig +dnssec gbb.co.in @8.8.8.8
If DNSSEC is broken, these resolvers will return `SERVFAIL`.
3. Bypass Validation with CD Flag
To see the raw data without validation:
dig +dnssec +cdflag gbb.co.in
This disables DNSSEC validation so you can compare results.
4. Use delv for Direct Validation
delv gbb.co.in
`delv` directly shows whether DNSSEC validation passed or failed.
5. How Validation Works Internally
- Domain owner signs the DNS records → (RRSIG + DNSKEY).
- Parent zone publishes DS record (hash of child DNSKEY).
- Resolver checks DNSKEY against DS record at parent.
- This continues up the chain:
- gbb.co.in → .co.in → .in → root
- The root trust anchor (root key) is pre-installed in all validating resolvers.
This is similar to browsers trusting root CA certificates in HTTPS.
Summary
- `dig +dnssec` shows records + signatures, not validation status.
- The ad flag confirms validation success.
- `SERVFAIL` indicates DNSSEC validation failure.
- The trust is established through the DNSSEC chain of trust, starting from the root key.
Home > Security tips > Enabling DNSSEC for a Domain in Bind9