Wednesday, November 10, 2010


Quick and dirty DNSSEC recipe:

1) named.conf global options

options {
dnssec-enable yes;
dnssec-validation yes;

1.5) "root" zone trusted key

get root key:
dig +multi +noall +answer DNSKEY . >root.dnskey

convert to DS RR set:
dnssec-dsfromkey -f root.dnskey . >root.ds

include in named.conf:

managed-keys {
"." initial-key 257 3 8 "
blah blah blah ";

2) Generating key signing key (KSK) and zone signing key (ZSK)

ZSK: dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE
KSK: dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE

3) Inside your zone file, include the public keys

$include ;ZSK
$include ;KSK

4) Sign the DNS zone

dnssec-signzone -r /dev/random -o -k

5) Verify the signed zone records:


6) Check a query...

dig +dnssec A

Note: data for which a local name server is authoritative for, and comes from disk will not result in the trust chain traversal. ie: It is assumed that if a server can read the zone off disk, then it is secure anyway.