warning: this guide might be outdated as we’re rather using NSD for DNSSEC here. though, the cool thing with the BIND tools is that you also get a ZSK DS.
Add this to the options stanza,
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
Install and run Haveged in case your random generator is weak,
cat /proc/sys/kernel/random/entropy_avail yum install haveged service haveged start chkconfig haveged on
Create the Zone Signing Key (ZSK) and Key Signing Key (KSK) pairs for every zone,
grep zone /etc/named.conf
domain=example.local
network=192.168.2
arpa=2.168.192.in-addr.arpa
cd /var/named/
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $domain
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $domain
for key in `ls K$domain*.key`; do
echo adding this DNSKEY record:
grep DNSKEY $key
echo -n to $domain.db...
echo "\$INCLUDE $key" >> $domain.db && echo done
done; unset key
dnssec-signzone -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -A -N increment -o $domain -t $domain.db
ls -lhF $domain.db.signed
ls -lhF /var/named/dsset-$domain.
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $arpa
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $arpa
for key in `ls K$arpa*.key`; do
echo adding this DNSKEY record:
grep DNSKEY $key
echo -n to $network.db...
echo "\$INCLUDE $key" >> $network.db && echo done
done; unset key
dnssec-signzone -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -A -N increment -o $arpa -t $network.db
ls -lhF $network.db.signed
ls -lhF /var/named/dsset-$arpa.
Point to those new *.signed zone files within named.conf and reload named,
vi /etc/named.conf service named-chroot reload
and check,
host -t DNSKEY $domain localhost host -t DNSKEY $arpa localhost