DNSSEC (Domain Name System Security Extensions) adds security to the DNS protocol by enabling authentication of DNS data. It uses cryptographic signatures to verify that DNS responses come from the correct source and haven’t been tampered with.
DNSSEC uses a hierarchical chain of trust with two types of keys:
To enable DNSSEC validation on a recursive resolver:
options {
dnssec-enable yes;
dnssec-validation auto; // Automatically fetches trust anchors
// Or specify trust anchor manually:
// dnssec-validation yes;
};
Generate both KSK and ZSK for your zone:
# Generate KSK (Key Signing Key) - typically RSA/ECDSA with longer key length
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
# Generate ZSK (Zone Signing Key) - typically shorter key length
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE example.com
Alternative with ECDSA (smaller signatures, faster validation):
# Generate KSK with ECDSA
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE example.com
# Generate ZSK with ECDSA
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE example.com
This creates files like:
Kexample.com.+008+12345.key (public key)Kexample.com.+008+12345.private (private key)Sign your zone file with the generated keys:
# Sign the zone (creates dsset-example.com and signed Kexample.com.zone files)
dnssec-signzone -o example.com -k Kexample.com.+008+12345 example.com.db
# The signed zone file will be named something like:
# db.example.com.signed
Update your zone definition to use the signed zone file:
zone "example.com" {
type master;
file "/etc/bind/db.example.com.signed"; // Point to signed file
auto-dnssec maintain; // Enable automatic DNSSEC maintenance
inline-signing yes; // Enable inline signing (dynamic updates)
};
Extract DS records to submit to your domain registrar:
# Extract DS records from the public key
dnssec-dsfromkey Kexample.com.+008+12345.key
# Or from the signed zone
dnssec-dsfromkey -f db.example.com.signed example.com
Submit these DS records to your domain registrar to establish the chain of trust.
For zones with frequent dynamic updates, use automatic maintenance:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
auto-dnssec maintain; // Automatically maintain DNSSEC signatures
inline-signing yes; // Enable inline signing
};
Regularly rotate your DNSSEC keys for security:
Use dnssec-settime to schedule key rollovers:
# Schedule key activation/deactivation times
dnssec-settime -I +30d -D +60d -P +90d -K +120d Kexample.com.+008+12345
# -I: inception date
# -D: deletion date
# -P: publish date
# -K: activation date
Verify DNSSEC is working properly:
# Check if DNSSEC is validating properly
dig +dnssec example.com
# Look for "ad" flag in response (Authenticated Data)
# If present, DNSSEC validation succeeded
# Check DS records at parent zone
dig +dnssec DS example.com
# Validate a zone file
dnssec-checkzone example.com /etc/bind/db.example.com.signed
Common issues and solutions:
dnssec-signzone