To set up DNSSEC in BIND9 on Ubuntu 20.04, you’ll need to perform the following steps:
- Update your system
sudo apt update
sudo apt upgrade -y
- Install BIND9
sudo apt install bind9 -y
Please pick a Zone Name and keep it consistent in the whole setup. In this case we are using the following:
+ dns-adwise
- Generate the Zone Signing Key (ZSK) and Key Signing Key (KSK) using the dnssec-keygen command:
sudo dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE dns-adwise
sudo dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE dns-adwise
Output:
vm@vm:~$ sudo dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE dns-adwise
Generating key pair..+++++ ...........................+++++
Kdns-adwise.+007+28898
vm@vm:~$ sudo dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE dns-adwise
Generating key pair...........................................++++ ...........................................................................................................++++
Kdns-adwise.+007+11460
- You’ll need to copy these files to the appropriate directory:
sudo cp Kdns-adwise.* /etc/bind/
- Configure BIND9 to enable DNSSEC:
sudo nano /etc/bind/named.conf.options
Add the following lines to theĀ named.conf.options
+ dnssec-enable yes;
+ dnssec-validation yes;
The content of the file should be as below
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation yes;
dnssec-enable yes;
listen-on-v6 { any; };
forwarders {
8.8.8.8;
};
};
- Configure your DNS zone file:
sudo nano /etc/bind/named.conf.local
- Add the DNSSEC key information to your zone file:
zone "dns-adwise" {
type master;
file "/etc/bind/db.dns-adwise";
key-directory "/etc/bind";
auto-dnssec maintain;
inline-signing yes;
};
- Create or modify your zone file:
sudo nano /etc/bind/db.dns-adwise
Use the following as an example of the content for the zone file. Remeber to replace the IP address for your host or server IP. In this case, our IP is 10.102.211.199
$TTL 604800
@ IN SOA ns1.dns-adwise. admin.dns-adwise. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.dns-adwise.
@ IN A 10.102.211.66
ns1 IN A 10.102.211.66
Update the zone file with your desired DNS records for the “dns-adwise” domain.
- Restart BIND9 to apply the changes:
sudo systemctl restart bind9
Add the public keys to the end of the zone file:
- Update the zone file /etc/bind/db.dns-adwise with the DNSSEC key information. Modify the file using a text editor:
sudo nano /etc/bind/db.dns-adwise
- Add the following lines to the zone file, replacing {number} with the appropriate values generated by dnssec-keygen:
$INCLUDE "/etc/bind/Kdns-adwise.+{number}+{number}.key"
$INCLUDE "/etc/bind/Kdns-adwise.+{number}+{number}.key"
The file should look as below
$TTL 604800
@ IN SOA ns1.dns-adwise. admin.dns-adwise. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.dns-adwise.
@ IN A 10.102.211.66
ns1 IN A 10.102.211.66
$INCLUDE "/etc/bind/Kdns-adwise.+007+28898.key"; ZSK
$INCLUDE "/etc/bind/Kdns-adwise.+007+11460.key"; KSK
- check the DNSSEC signatures
sudo named-checkzone dns-adwise /etc/bind/db.dns-adwise
You should get the following output
zone dns-adwise/IN: loaded serial 3
OK
This command will check the DNS zone file for any DNSSEC-related errors. If there are no errors, it indicates that the zone file is correctly signed with DNSSEC.
- Sign the DNSKEY using the dnssec-signzone command (use the KSK):
sudo dnssec-signzone -S -o dns-adwise -k Kdns-adwise.+007+11460.key /etc/bind/db.dns-adwise
Output
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
/etc/bind/db.dns-adwise.signed
- the signed zone has been written to a new file.
less db.fiu-adwise.signed
Update BIND configuration
- Change the /etc/bind/named.conf.local definition that loads the zone, to point to the signed zone:
sudo nano /etc/bind/named.conf.local
zone "dns-adwise" {
type master;
- file "/etc/bind/db.dns-adwise";
+ file "/etc/bind/db.dns-adwise.signed";
key-directory "/etc/bind";
auto-dnssec maintain;
inline-signing yes;
};
- Reconfigure BIND
sudo rndc reconfig
- Check the DNSSEC chain of trust:
sudo dnssec-verify -x -o dns-adwise /etc/bind/db.dns-adwise.signed
Output
Loading zone 'dns-adwise' from file '/etc/bind/db.dns-adwise.signed'
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 present, 0 revoked