DNSSEC on Bind 9.7

I have been reading about DNSSEC and decided to do some quick testing. One of the questions I had was, what happens with slave nameservers?  How does DNSSEC work with a slave?  Does it need copies of keys?  If my hosting provider is slaved off of me, and running Bind 9.x what extra steps need to be taken to enable DNSSEC.  Well the answer to that turned out to be really simple.  The slave servers don’t work any different than normal–all of the signing and key management is inside the zone file. Setting up the signed zones isn’t really as hard as you might expect.  There are a few concepts you have to understand:
  • DNSSEC relies on a chain of trust based on public key cryptography.
  • It uses encryption for validation, not privacy.
  • You will most likely use a couple of public/private keys, one for signing keys, and one for signing zones.
  • The parent zone must have information about your key signing key, this is done with a DS resource record, it’s just a hash of the key signing public key in a DNS record.
  • Why two keys?  By using a key signing key and zone signing key, you can rotate the key used for signing the zone without having to notify your parent zone.
So setting it up goes something like this:
  • Generate your KSK and ZSK.
  • Add public key information (for both keys) to the zone file.
  • Sign the zone using the private keys (this creates a new machine-generated file.)
  • Update named.conf (point to new zone file, and enable DNSSEC if necessary.)
  • Send DS information to your registrar (alternatively you can used isc.org’s DNS look aside validation.) When you create the KSK a file called dsset-{zone.filename}. will be created with the records (they are also added to the signed zone file.) DO THIS LAST.
  • Test, test, test.


# generate Key signing key*:
dnssec-keygen –f KSK {zone.filename}
# generate Zone signing key:
dnssec-keygen {zone.filename}
# at this point you will modify the zone file using the $include statement (see below for an example.)
# Sign the zone file, note the -k flag pointing to the KSK, I stumbled on this for a few minutes.
dnssec-signzone -g -k {KSK.filename.private} {zone.filename} {ZSK.filename.private}
* If dnssec-keygen hangs, you probably lack entropy in /dev/random.


options {
 listen-on port 53 {; };
 listen-on-v6 port 53 { ::1; };
 directory       "/var/named";
 dump-file       "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query     { any; };
 recursion no;

 dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;

zone "." IN {
 type hint;
 file "named.ca";

include "/etc/named.rfc1912.zones";

zone "toddgarrison.org" IN {
 type master;
 file "toddgarrison.org.signed";
 allow-update { none; };
 allow-query { any; };
 allow-transfer {; };
 notify yes;

Zone file before signing:

$TTL 86400
@       IN SOA  toddgarrison.org. tag.frameloss.org. (
 2011062901      ; serial number YYMMDDNN
 28800           ; Refresh
 7200            ; Retry
 864000          ; Expire
 86400           ; Min TTL
$ORIGIN toddgarrison.org.
$include Ktoddgarrison.org.+005+20254.key ; KSK
$include Ktoddgarrison.org.+005+24138.key ; ZSK

 IN      NS      ns1.some.host.name.
 IN      NS      ns2.some.host.name.

www                     IN      A


http://www.isc.org/software/bind/dnssec http://www.dnssec.net/links