Every time I add a new domain, I wade through the process of how to generate the required keys and how to get the records that need to be published at my upstream registrar. Hopefully this will help in future!
First off, some assumptions:
- Bind is installed and running
- Zones are in /etc/bind/zones
- Keys are in /etc/bind/keys
- The zone to secure with DNSSEC already has an active zone file (without DNSSEC).
- You have root (or sudo) access
Generate the zone keys:
dnssec-keygen -a RSASHA256 -b 2048 -3 newzone.org
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk newzone.org
If your TLD supports it, you should probably use ED25519 (type 15) instead of RSASHA256 (type 8). At the time of writing, there isn’t much support for ED25519.
Edit the zone file
Insert the following new lines into the zone configuration:
On my system, the systemd service is called named. Yours may differ.
systemctl reload named.service
Sign the zone
rndc signing -nsec3param 1 0 10 deadbeef newzone.org
(Where deadbeef is a random 4 byte hex salt)
You can generate the random salt with:
hexdump -n 4 -e '4/4 "%08X" 1 "\n"' /dev/random
Grab the dsset record for your registrar
dig @127.0.0.1 dnskey newzone.org | dnssec-dsfromkey -f - newzone.org