Enabling DNSSEC for a Domain in Bind9

Home > Security tips > Enabling DNSSEC for a Domain in Bind9

Installing and Configuring BIND9 with DNSSEC

1. Install BIND9 and DNS Utilities

At a terminal prompt, run the following command to install the bind9 package:

sudo apt install bind9

A useful package for testing and troubleshooting DNS issues is the dnsutils package. Very often these tools will be installed already, but to check and/or install dnsutils enter:

sudo apt install dnsutils

2. Set Up a Caching Nameserver

Uncomment and edit /etc/bind/named.conf.options to set the IP addresses of your ISP’s DNS servers:

Example configuration block:

forwarders {
    1.2.3.4;
    5.6.7.8;
};

3. Restart BIND9 Service

To enable the new configuration, restart the DNS server:

sudo systemctl restart bind9.service

4. Create Forward Zone File

To add a DNS zone to BIND9, first edit /etc/bind/named.conf.local:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};

5. Create the Zone File

Use an existing zone file as a template to create /etc/bind/db.example.com:

mkdir /etc/bind/zones
chown -R root:bind /etc/bind/zones/
sudo cp /etc/bind/db.local /etc/bind/zones/db.example.com

Edit /etc/bind/zones/db.example.com and make the following changes: - Replace localhost. with the FQDN of your server (with a trailing dot). - Replace 127.0.0.1 with the nameserver’s IP address. - Replace root.localhost with a valid email address, using a dot instead of @ (with a trailing dot). - Update the comment to indicate the correct domain.

Example zone configuration:

;
; BIND data file for example.com
;
$TTL    604800
@       IN      SOA     example.com. root.example.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

@       IN      NS      ns.example.com.
@       IN      A       192.168.1.10
@       IN      AAAA    ::1
ns      IN      A       192.168.1.10

6. Restart BIND9 After Changes

sudo systemctl restart bind9.service

Enabling DNSSEC on Your Own DNS Server

Step 1: Generate DNSSEC Keys

- Zone Signing Key (ZSK): Signs all zone records. - Key Signing Key (KSK): Signs the DNSKEY record set.

Example commands (run in your zone directory):

dnssec-keygen -a RSASHA256 -b 2048 -n ZONE yourdomain.com
dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE yourdomain.com

Step 2: Add Public Keys to Your Zone File

Insert $INCLUDE statements for the ``.key`` files after the SOA and NS records in your zone file:

$INCLUDE Kyourdomain.com.+008+12345.key ; KSK
$INCLUDE Kyourdomain.com.+008+67890.key ; ZSK

Step 3: Sign the Zone

Use the dnssec-signzone command:

dnssec-signzone -o yourdomain.com -k Kyourdomain.com.+008+12345 yourdomain.com.zone Kyourdomain.com.+008+67890

This creates a signed zone file (e.g., yourdomain.com.zone.signed).

Step 4: Update DNS Server Configuration

Point your DNS server to the signed zone file:

zone "yourdomain.com" {
    type master;
    file "/etc/bind/yourdomain.com.zone.signed";
};

Reload or restart your DNS server after the update.

Verifying DNSSEC is Enabled

To check for DNSSEC signatures, run:

dig +dnssec yourdomain.com

Look for RRSIG records in the answer section.

Alternatively, you can use online tools such as: - DNSViz - Verisign DNSSEC Analyzer

to confirm DNSSEC is active.

Home > Security tips > Enabling DNSSEC for a Domain in Bind9