To set up DNSSEC in BIND9 on Ubuntu 20.04, you’ll need to perform the following steps:

  • Update your system
sudo apt update
sudo apt upgrade -y
  • Install BIND9
sudo apt install bind9 -y

Please pick a Zone Name and keep it consistent in the whole setup. In this case we are using the following:

+ dns-adwise
  • Generate the Zone Signing Key (ZSK) and Key Signing Key (KSK) using the dnssec-keygen command:
sudo dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE dns-adwise
sudo dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE dns-adwise

Output:

vm@vm:~$ sudo dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE dns-adwise
Generating key pair..+++++ ...........................+++++
Kdns-adwise.+007+28898
vm@vm:~$ sudo dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE dns-adwise
Generating key pair...........................................++++ ...........................................................................................................++++
Kdns-adwise.+007+11460
  • You’ll need to copy these files to the appropriate directory:
sudo cp Kdns-adwise.* /etc/bind/
  • Configure BIND9 to enable DNSSEC:
sudo nano /etc/bind/named.conf.options

Add the following lines to theĀ named.conf.options

+ dnssec-enable yes;
+ dnssec-validation yes;

The content of the file should be as below

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation yes;
        dnssec-enable yes;
        listen-on-v6 { any; };
        forwarders {
            8.8.8.8;
        };

};
  • Configure your DNS zone file:
sudo nano /etc/bind/named.conf.local
  • Add the DNSSEC key information to your zone file:
zone "dns-adwise" {
  type master;
  file "/etc/bind/db.dns-adwise";
  key-directory "/etc/bind";
  auto-dnssec maintain;
  inline-signing yes;
};
  • Create or modify your zone file:
sudo nano /etc/bind/db.dns-adwise

Use the following as an example of the content for the zone file. Remeber to replace the IP address for your host or server IP. In this case, our IP is 10.102.211.199

$TTL    604800
@       IN      SOA     ns1.dns-adwise. admin.dns-adwise. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.dns-adwise.
@       IN      A       10.102.211.66
ns1     IN      A       10.102.211.66

Update the zone file with your desired DNS records for the “dns-adwise” domain.

  • Restart BIND9 to apply the changes:
sudo systemctl restart bind9

Add the public keys to the end of the zone file:

  • Update the zone file /etc/bind/db.dns-adwise with the DNSSEC key information. Modify the file using a text editor:
sudo nano /etc/bind/db.dns-adwise
  • Add the following lines to the zone file, replacing {number} with the appropriate values generated by dnssec-keygen:
$INCLUDE "/etc/bind/Kdns-adwise.+{number}+{number}.key"
$INCLUDE "/etc/bind/Kdns-adwise.+{number}+{number}.key"

The file should look as below

$TTL    604800
@       IN      SOA     ns1.dns-adwise. admin.dns-adwise. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.dns-adwise.
@       IN      A       10.102.211.66
ns1     IN      A       10.102.211.66

$INCLUDE "/etc/bind/Kdns-adwise.+007+28898.key"; ZSK
$INCLUDE "/etc/bind/Kdns-adwise.+007+11460.key"; KSK
  • check the DNSSEC signatures
sudo named-checkzone dns-adwise /etc/bind/db.dns-adwise

You should get the following output

zone dns-adwise/IN: loaded serial 3
OK

This command will check the DNS zone file for any DNSSEC-related errors. If there are no errors, it indicates that the zone file is correctly signed with DNSSEC.

  • Sign the DNSKEY using the dnssec-signzone command (use the KSK):
sudo dnssec-signzone -S -o dns-adwise -k Kdns-adwise.+007+11460.key /etc/bind/db.dns-adwise

Output

Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
/etc/bind/db.dns-adwise.signed
  • the signed zone has been written to a new file.
less db.fiu-adwise.signed

Update BIND configuration

  • Change the /etc/bind/named.conf.local definition that loads the zone, to point to the signed zone:
sudo nano /etc/bind/named.conf.local
zone "dns-adwise" {
  type master;
- file "/etc/bind/db.dns-adwise";
+ file "/etc/bind/db.dns-adwise.signed";
  key-directory "/etc/bind";
  auto-dnssec maintain;
  inline-signing yes;
};
  • Reconfigure BIND
sudo rndc reconfig
  • Check the DNSSEC chain of trust:
sudo dnssec-verify -x -o dns-adwise /etc/bind/db.dns-adwise.signed

Output

Loading zone 'dns-adwise' from file '/etc/bind/db.dns-adwise.signed'
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 present, 0 revoked