BIND and DNSSEC

The howto that used to be here was outdated. It was using zonesigner and lot of other tools which became unnecessary because nowadays BIND can sign the zonefiles itself. There are two excellent howto's (in Dutch) which explain this:

• Deel 1: het ondertekenen van de zones
• Deel 2: sleutelbeheer

Short summary

Because not everyone understands Dutch, here's a short summary of those articles:

• Add the following lines to your general BIND config (i use named.conf.options in Debian/Ubuntu): dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; key-directory "/etc/bind/keys";
• Create a directory for your keys: mkdir -p /etc/bind/keys/
• Generate a key for your zone: cd /etc/bind/keys/ dnssec-keygen -f KSK -3 -a RSASHA256 -b 2048 -r /dev/random -n ZONE example.com dnssec-keygen -3 -a RSASHA256 -b 1024 -r /dev/random -n ZONE example.com Note: Using /dev/random might be slow on systems with low activity. You might consider using /dev/urandom, but this uses less 'randomness'.
• Enable signing for every zone (this is in named.conf.local Debian/Ubuntu): auto-dnssec maintain; inline-signing yes;
• reload your bind config and sign the zone: rndc reconfig rndc sign example.com.
• Verify by running rndc signing -list example.com

About the author

Jurrian van Iersel is a Developer and System & Networks Administrator. Beside being the author of this article, he has written some other articles about his experiences since he started in 1995. You can find more about him on LinkedIn, Google+, GitHub or follow him on Twitter.