Configure DNSSEC with BIND

The DNS plays a critical role in supporting the Internet infrastructure by providing a distributed and fairly robust mechanism that resolves Internet host names into IP addresses and IP addresses back into host names. The DNS also supports other Internet directory-like lookup capabilities to retrieve information pertaining to DNS Name Servers, Canonical Names, Mail Exchangers, etc. Beeing almost 30 years old, it started to show its age. The threats that surround the DNS are due in part to the lack of authenticity and integrity checking of the data held within the DNS and in part to other protocols that use host names as an access control mechanism. The most common types of DNS attacks are:

  • DNS Spoofing (also known as DNS Cache Poisoning)
  • Malicious Resolvers
  • Man-in-the-middle (MITM)

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. It is a set of extensions to DNS, which provides to DNS clients (resolvers):

  • Origin authentication and data integrity: DNSSEC-capable resolvers are able to digitally verify that the DNS data they receive is identical to the information on the authoritative DNSSEC-capable name server. This is done by authenticating the origin and integrity of DNS data as it transits the Internet.
  • Authenticated denial of existence: DNSSEC-capable resolvers are able to determine whether or not a resource, such as a name server, actually exists.

To activate DNSSEC you'll need three things:

  1. gTLD/cTLD (gloabal/country Top-Level-Domain) support for DNSSEC.
  2. The register should accept DS Records (Delegation Signor) and send them to Top-Level-Domain (TLD) for your domain.
  3. The authoritative name server support for DNSSEC to (re)sign your DNS zone.

Since an example is like a thousand words, i'll use the following:

  1. .net as a gTLD which has DNSSEC support already.
  2. as a domain whos register has DNSSEC support already (see the picture below):
  3. Bind as an authoritative name server configured like this:

    Activate DNSSEC in /etc/named.conf:
    options {
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    Before creating ZSK(Zone Signing Key) si KSK(Key Signing Key) please install haveged. Without it, you'll have to wait couple of minutes for those two keys to generate. Create a directory to store the keys:
    mkdir /etc/pki/dnssec-keys/

    Generate ZSK(Zone Signing Key):
    cd /etc/pki/dnssec-keys/
    dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE

    Now there are four keys (2 public/private pairs for ZSK si KSK) in /etc/pki/dnssec-keys/:
    [xxx]# ls -la **

    Add the keys in zone file:
    cd /etc/pki/dnssec-keys/
    for key in `ls*.key`
    echo "\$INCLUDE /etc/pki/dnssec-keys/$key">> /var/name/master/

    Sign zone:
    cd /var/name/master/
    dnssec-signzone -S -K /etc/pki/dnssec-keys -e +3024000 -o -N INCREMENT file should be generated. Add it to /etc/named.conf replacing
    zone "" in {
    type master;
    file "/var/named/master/";

    I suggest to operate only file in the future and re-generate every time you make a change using the following script:

    [xxx]# cat
    cd $ZONEDIR
    SERIAL=`/usr/sbin/named-checkzone $ZONE $ZONE.db | egrep -ho '[0-9]{10}'`
    sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' $ZONE.db

    systemctl restart named

    Let's go back to step 2 because now a file called was generated and it contains all the info we need to make DS Records i've mentioned above.
    [xxx]# cat IN DS 50703 7 1 AD819997BE5847844F55B70987F9BA1630DCD682 IN DS 50703 7 2 8535A8C0EC3638F72DA84C87C65D4AF2F2624D8184159E516E3C3FBA D3018065

    On the Register's webpage, complete the form (see the image below) with data from file:

    Restart DNS daemon (bind/named) and you're all set.

To check if a domain is DNSSEC signed you could use website: or simply install an addon for your browser.

Leave a Comment