DNSSEC (Domain Name System Security Extensions) adds security to the DNS protocol by enabling authentication of DNS data. It uses cryptographic signatures to verify that DNS responses come from the correct source and haven’t been tampered with.
DNSSEC uses a hierarchical chain of trust with two primary types of keys (and an optional third for simplified deployments):
Note: DNSSEC only uses KSK and ZSK (or optionally CSK). Any other key type references are non-standard.
To enable DNSSEC validation on a recursive resolver:
options {
dnssec-enable yes;
dnssec-validation auto; // Automatically fetches trust anchors
// Or specify trust anchor manually:
// dnssec-validation yes;
};
Generate both KSK and ZSK for your zone:
# Generate KSK (Key Signing Key) - typically RSA/ECDSA with longer key length
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
# Generate ZSK (Zone Signing Key) - typically shorter key length
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE example.com
Alternative with ECDSA (smaller signatures, faster validation):
# Generate KSK with ECDSA
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE example.com
# Generate ZSK with ECDSA
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE example.com
This creates files like:
Kexample.com.+008+12345.key (public key)Kexample.com.+008+12345.private (private key)Sign your zone file with the generated keys:
# Sign the zone (creates dsset-example.com and signed Kexample.com.zone files)
dnssec-signzone -o example.com -k Kexample.com.+008+12345 example.com.db
# The signed zone file will be named something like:
# db.example.com.signed
Update your zone definition to use the signed zone file:
zone "example.com" {
type master;
file "/etc/bind/db.example.com.signed"; // Point to signed file
auto-dnssec maintain; // Enable automatic DNSSEC maintenance
inline-signing yes; // Enable inline signing (dynamic updates)
};
Extract DS records to submit to your domain registrar:
# Extract DS records from the public key
dnssec-dsfromkey Kexample.com.+008+12345.key
# Or from the signed zone
dnssec-dsfromkey -f db.example.com.signed example.com
Submit these DS records to your domain registrar to establish the chain of trust.
DEPRECATED: The
auto-dnssecworkflow (shown below) was removed in BIND 9.19/9.20. It is only available in older ESV branches (9.16, 9.18). For BIND 9.20+ and all new deployments, usednssec-policyinstead. See the next section for details.
For zones with frequent dynamic updates, use automatic maintenance:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
auto-dnssec maintain; // Automatically maintain DNSSEC signatures
inline-signing yes; // Enable inline signing
};
The dnssec-policy directive is the recommended way to manage DNSSEC in modern BIND versions. It automates key generation, signing, and rollover without manual intervention.
BIND ships with two built-in policies:
// Default policy: uses KSK + ZSK with standard lifetimes
dnssec-policy default;
// Null policy: disables DNSSEC for this zone
dnssec-policy null;
Define a custom policy in named.conf:
dnssec-policy "my-policy" {
keys {
// KSK: 2048-bit RSA, lifetime of 1 year
ksk lifetime 31536000 algorithm rsasha256 2048;
// ZSK: 1024-bit RSA, lifetime of 3 months
zsk lifetime 7776000 algorithm rsasha256 1024;
};
// Maximum zone TTL (used for signatures)
max-zone-ttl 86400;
// Signature validity period
parent-ds-ttl 3600;
parent-propagation-delay 1h;
// Zone propagation delay
publish-safety 1h;
// Key rollover timing
retire-safety 1h;
zone-propagation-delay 5m;
};
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
dnssec-policy "my-policy"; // or "default"
inline-signing yes;
};
For smaller signatures and faster validation:
dnssec-policy "ecdsa-policy" {
keys {
ksk lifetime 31536000 algorithm ecdsap256sha256 256;
zsk lifetime 7776000 algorithm ecdsap256sha256 256;
};
max-zone-ttl 86400;
parent-ds-ttl 3600;
parent-propagation-delay 1h;
publish-safety 1h;
retire-safety 1h;
zone-propagation-delay 5m;
};
dnssec-settime calls neededauto-dnssec optionsauto-dnssec workflow has been removed in BIND 9.19/9.20Regularly rotate your DNSSEC keys for security:
Use dnssec-settime to schedule key rollovers:
# Schedule key activation/deactivation times
dnssec-settime -I +30d -D +60d -P +90d -K +120d Kexample.com.+008+12345
# -I: inception date
# -D: deletion date
# -P: publish date
# -K: activation date
Verify DNSSEC is working properly:
# Check if DNSSEC is validating properly
dig +dnssec example.com
# Look for "ad" flag in response (Authenticated Data)
# If present, DNSSEC validation succeeded
# Check DS records at parent zone
dig +dnssec DS example.com
# Validate a zone file
dnssec-checkzone example.com /etc/bind/db.example.com.signed
Common issues and solutions:
dnssec-signzone