Enabling DNSSEC with BIND v9

Source: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

Add this to the options stanza,

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Install and run Haveged in case your random generator is weak,

cat /proc/sys/kernel/random/entropy_avail
yum install haveged
service haveged start
chkconfig haveged on

Create the Zone Signing Key (ZSK) and Key Signing Key (KSK) pairs for every zone,

grep zone /etc/named.conf
domain=example.local
network=192.168.2
arpa=2.168.192.in-addr.arpa

cd /var/named/

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $domain
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $domain
for key in `ls K$domain*.key`; do
    echo adding this DNSKEY record:
    grep DNSKEY $key
    echo -n to $domain.db...
    echo "\$INCLUDE $key" >> $domain.db && echo done
done; unset key
dnssec-signzone -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -A -N increment -o $domain -t $domain.db
ls -lhF $domain.db.signed
ls -lhF /var/named/dsset-$domain.

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $arpa
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $arpa
for key in `ls K$arpa*.key`; do
    echo adding this DNSKEY record:
    grep DNSKEY $key
    echo -n to $network.db...
    echo "\$INCLUDE $key" >> $network.db && echo done
done; unset key
dnssec-signzone -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -A -N increment -o $arpa -t $network.db
ls -lhF $network.db.signed
ls -lhF /var/named/dsset-$arpa.

Point to those new *.signed zone files within named.conf and reload named,

vi /etc/named.conf
service named-chroot reload

and check,

host -t DNSKEY $domain localhost
host -t DNSKEY $arpa localhost

HOME | GUIDES | BENCHMARKS | html