DNSSEC – HOWTO for idiots like me

There seems to be plenty of DNSSEC HOWTO’s on the Web but I’m struggling to find a compendium of steps I need to perform in order to secure my zone and trust others.

Securing a zone

Before doing anything, it’s worth creating a directory structure where each zonefile resides in its own directory using the structure: /etc/bind/zonename/zonefile
The zonefile should be identical to the zonename until it’s signed, at which time zonefile becomes zonename.signed. Generated ZSK’s and KSK’s should reside within the directory of the zonename they relate to. Don’t forget to update named.conf.local to reflect changes in the name and location of the zonefiles.


options {
dnssec-enable yes;
dnssec-validation yes;

Generate Keys

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename
dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

Add keys to zonefile

; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key

Sign the Zone

dnssec-signzone zonefile
Output is zonefile.signed

Validate the zonefile

donuts zonefile.signed zonename

Publish the signed zone

In named.conf.local:
zone “zonename” {
file “/etc/bind/zonename/zonefile.signed”;


dig zonename SOA +dnssec +multiline

Leave a comment