There seems to be plenty of DNSSEC HOWTO’s on the Web but I’m struggling to find a compendium of steps I need to perform in order to secure my zone and trust others.
Securing a zone
Before doing anything, it’s worth creating a directory structure where each zonefile resides in its own directory using the structure: /etc/bind/zonename/zonefile
The zonefile should be identical to the zonename until it’s signed, at which time zonefile becomes zonename.signed. Generated ZSK’s and KSK’s should reside within the directory of the zonename they relate to. Don’t forget to update named.conf.local to reflect changes in the name and location of the zonefiles.
Enable DNSSEC
options {
dnssec-enable yes;
dnssec-validation yes;
};
Generate Keys
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename
dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename
Add keys to zonefile
; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key
Sign the Zone
dnssec-signzone zonefile
Output is zonefile.signed
Validate the zonefile
donuts zonefile.signed zonename
Publish the signed zone
In named.conf.local:
zone “zonename” {
file “/etc/bind/zonename/zonefile.signed”;
};
Testing
dig zonename SOA +dnssec +multiline