DNSSEC signing a zone

Every time I add a new domain, I wade through the process of how to generate the required keys and how to get the records that need to be published at my upstream registrar. Hopefully this will help in future!

First off, some assumptions:

  • Bind is installed and running
  • Zones are in /etc/bind/zones
  • Keys are in /etc/bind/keys
  • The zone to secure with DNSSEC already has an active zone file (without DNSSEC).
  • You have root (or sudo) access

Generate the zone keys:

cd /etc/bind/zones
dnssec-keygen -a RSASHA256 -b 2048 -3 newzone.org
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk newzone.org

If your TLD supports it, you should probably use ED25519 (type 15) instead of RSASHA256 (type 8). At the time of writing, there isn’t much support for ED25519.

Edit the zone file

Insert the following new lines into the zone configuration:

auto-dnssec maintain;
inline-signing yes;

Reload bind

On my system, the systemd service is called named. Yours may differ.
systemctl reload named.service

Sign the zone

rndc signing -nsec3param 1 0 10 deadbeef newzone.org
(Where deadbeef is a random 4 byte hex salt)
You can generate the random salt with:

hexdump -n 4 -e '4/4 "%08X" 1 "\n"' /dev/random

Grab the dsset record for your registrar

dig @ dnskey newzone.org | dnssec-dsfromkey -f - newzone.org

Leave a comment