Bind DNSSEC

Useful Links:

• Google DNS Tool: https://toolbox.googleapps.com/apps/dig/

• Hurricane Electric Free DNS hosting: https://dns.he.net/

• Online DNSSEC Validation tool: https://dnssec-analyzer.verisignlabs.com/

Configuring Bind for DNSSEC

Enable DNSSEC in options section of named.conf:

dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

Generate Keys (in an applicable key directory - /etc/named/dnssec/zone or /var/named/dnssec/zone)

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com (ZSK - Zone Signing Key)
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com (KSK - Key Signing Key)

Edit Zone (example.com) to include the Keys (made sure relative path is correct for bind to read the key file):

$INCLUDE dnssec/<key directory>/<Zone Signing Key>.key
$INCLUDE dnssec/<key directory>/<Key Signing Key>.key

Don't forget to make the key files owned by bind (named:named) and increment the zone serial number when including the keys.

Edit named.conf to add auto-dnssec options in each zone (in each view):

key-directory “/etc/named/dnssec/zone”;
auto-dnssec maintain;
inline-signing yes;

Restart named and check the logs to see that the zone was signed. A newly created zone.signed file should appear in your zone directory.

Give it some time to replicate and head over to the DNSSEC validation tool in the links above.