This guide presumes that you got your domain set up in bind and that the configuration is working without DNSSEC configured. My configuration example is for the dnssec.au domain and the zone files are stored in \/var\/named\/primary\/ and the DNSSEC keys will be stored in \/var\/named\/keys<\/p>\n\n\n\n
Here is my dnssec.au zone file: (ignore the low TTL values)<\/p>\n\n\n\n
Enabling DNSSEC with bind9 is surprisingly easy. You can set up an automated key rotation scheme and bind will do all the hard work for you. All you have to do is to specify the rotation policy and define the key types (Public key type and the hash type and how often you want the keys rotated). Here is my policy:<\/p>\n\n\n\n
This defines a non-expiring key signing key and a zone signing key that is rotated every 30 days. The reason my KSK is set not to expire is that for it to be changed, I have to log into my registrar and update the key hashes in the .au domain. This is easy to do, but it cannot be automated, so I have chosen not to rotate this key automatically. Read the bind documentation for the meaning of the rest of the parameters in the policy or just copy my parameters. <\/p>\n\n\n\n
Then all I have to do is to modify the zone definition like this:<\/p>\n\n\n\n
That is it. run rndc reconfig to reload the bind configuration and bob’s your uncle. Now you will find the newly generated keys in the directory specified above (\/var\/named\/keys\/dnssec.au)<\/p>\n\n\n\n
root@moss:\/var\/named\/keys\/dnssec.au# ls -l \ntotal 24 \n-rw-r--r-- 1 bind bind 398 Oct 8 18:54 Kdnssec.au.+013+25892.key \n-rw------- 1 bind bind 215 Oct 8 18:54 Kdnssec.au.+013+25892.private \n-rw-r--r-- 1 bind bind 569 Oct 8 18:54 Kdnssec.au.+013+25892.state \n-rw-r--r-- 1 bind bind 448 Oct 8 18:54 Kdnssec.au.+013+58993.key \n-rw------- 1 bind bind 235 Oct 8 18:54 Kdnssec.au.+013+58993.private \n-rw-r--r-- 1 bind bind 553 Oct 8 18:54 Kdnssec.au.+013+58993.state <\/code><\/pre>\n\n\n\n
Now to verify that my zone is signed I use https:\/\/dnsviz.net\/d\/dnssec.au to visualize my DNSSEC information. Here is what it shows at this stage in the DNSSEC setup:<\/p>\n\n\n\ndnsviz view of dnssec.au after initial setup<\/figcaption><\/figure>\n\n\n\n
This image shows the trust chain for my domain. As you can see my zone is now signed with the KSK id 25892. It has signed the ZSK key id 58993 that has signed the remaining records in the zone. However, there is no trust link from the zone above (.au). So I have to log in to my registrar’s webpage and add two hashes of my KSK key with the ID 25892 to the .au zone. But before that, I have to generate the hashes from my KSK key like this:<\/p>\n\n\n\n
root@moss:\/var\/named\/keys\/dnssec.au# dnssec-dsfromkey -a sha256 \/var\/named\/keys\/dnssec.au\/Kdnssec.au.+013+25892 \ndnssec.au. IN DS 25892 13 2 F27DF44A5CDB057C5F084597244D9C53EAA81989E0463824495B205215B546C6 \nroot@moss:\/var\/named\/keys\/dnssec.au# dnssec-dsfromkey -a sha384 \/var\/named\/keys\/dnssec.au\/Kdnssec.au.+013+25892 \ndnssec.au. IN DS 25892 13 4 43EF3592F0AD4544733BA892E714F57B4D14F9AF6A96BFA17326AAA359DE80FA41A1D167E40D5A28A609FFDC6E62B94A \n<\/code><\/pre>\n\n\n\n
Then you have to use the tools your registrar provides for adding DNSSEC records for your zone to its parent zone (.au in my case)<\/p>\n\n\n\nMy registrars webinterface for entering my KSK hash information<\/figcaption><\/figure>\n\n\n\n
Once I have completed both, it looks like this:<\/p>\n\n\n\nThe completed update of my KSK hash with my registrar<\/figcaption><\/figure>\n\n\n\n
Now I can use https:\/\/dnsviz.net\/d\/dnssec.au to recheck my DNSSEC setup. Remember to use the analyze option to force dnsviz to rebuild its cache for your domain.<\/p>\n\n\n\ndnsviz view after updating my registrar with the KSK key hash used to sign my zone<\/figcaption><\/figure>\n\n\n\n
As you can see now, there is a trust chain going from the root domain to .au and then to dnssec.au. This means that the DNSSEC configuration is completed. From this point on, you can forget all about DNSSEC and update the zone file as normal. When you reload it bind will sign all the information in it, and the signed zone file will be pushed to your secondary nameservers automatically. <\/p>\n\n\n\n
<\/p>\n\n\n\n
Conclution<\/h2>\n\n\n\n
This shows all the steps needed to enable DNSSEC for your domain. Doing so will protect you from any unauthorized changes to your zone data in flight to the resolvers that reference your domain. <\/p>\n\n\n\n
I hope this information helps you in setting up DNSSEC. I wish I had found this when I started securing my domains. <\/p>\n","protected":false},"excerpt":{"rendered":"
![\"\"](\"https:\/\/www.dnssec.au\/wp-content\/uploads\/2022\/10\/dnssec.au-2022-10-08-09_01_08-UTC-499x1024.png\")
![\"\"](\"https:\/\/www.dnssec.au\/wp-content\/uploads\/2022\/10\/CleanShot-2022-10-08-at-20.13.21@2x-1024x934.png\")
![\"\"](\"https:\/\/www.dnssec.au\/wp-content\/uploads\/2022\/10\/CleanShot-2022-10-08-at-20.15.47@2x-1024x382.png\")
![\"\"](\"https:\/\/www.dnssec.au\/wp-content\/uploads\/2022\/10\/dnssec.au-2022-10-08-09_18_34-UTC-509x1024.png\")