setup DNSSEC on Bind9

Submitted by Fekete Zoltán on Wed, 06/09/2021 - 13:10
# cd /etc/bind

Add these lines to your zone declaration in named.conf.local:

inline-signing yes;
auto-dnssec maintain;

Then:

# mkdir /var/cache/bind/keys
# cd /var/cache/bind/keys
# dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com
# dnssec-keygen -a RSASHA256 -b 1280 example.com
# cd /etc/bind 

Add to the zone "example.com" section in the file named.conf.local:

inline-signing yes;
auto-dnssec maintain;

Edit named.conf.options file, and add

key-directory "/var/cache/bind/keys";

to the options block.

# service named reload
# rndc loadkeys example.com
# rndc signing -nsec3param 1 0 10 auto example.com

That's all folks!

 

 

 
 

Tags