pmeerw's blog

24 Jan 2019

Thu, 24 Jan 2019

Setting up DNSSEC

Finally, I decided to give DNSSEC a try, the technology should be somewhat mature by now...

So I'm using bind 9.11.5 on Debian buster to secure I loosely followed the Debian DNSSEC HOWTO. DNSViz has been useful for testing.

Bind9 configuration

Create a directory /etc/bind/keys Enable DNSSEC in /etc/bind/named.conf.options and set the key directory:

options {
  // ...
  dnssec-enable yes;
  key-directory "/etc/bind/keys";

Creating keys

The bind9utils package has the dnssec-keygen tool, so run:

cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -3
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk
to obtain the following files:
-rw-r--r-- 1 bind bind  601 Jan 22 22:31
-rw------- 1 bind bind 1776 Jan 22 22:31
-rw-r--r-- 1 bind bind  602 Jan 22 22:32
-rw------- 1 bind bind 1776 Jan 22 22:32
I have set ownership of keys/ to bind:bind, so: chown -R bind:bind /etc/bind/keys/
Configuring the DNS zone

The zone is configured in /etc/bind/named.conf.local:

zone "" {
        type master;
        file "/etc/bind/";
        auto-dnssec maintain;
        inline-signing yes;

Restart the nameserver: service bind9 restart
Use dig @ +dnssec axfr and RRSIG, NSEC records should be displayed for the zone. Zone transfers (AXFR) must be allowed, at least for localhost:

options {
  // ...
  allow-transfer {;

Configuring DNSSEC with the registrar

I'm using Joker; in case the authoritative nameserver is already configured correctly for DNSSEC,'s web-based administration interface already has all the required fields completed: alg: 8, digest: 5C09567DA17552239455C597878F97CCABDDBF6E, digest type: 1 (or 2), keytag: 14644 In order to get these values, the dnssec-dsfromkey tool is helpful: dnssec-dsfromkey /etc/bind/keys/ IN DS 14644 8 1 5C09567DA17552239455C597878F97CCABDDBF6E IN DS 14644 8 2 E2085DD26A5BE04722BCE5DEC62CA739919CCE9B8743800610142B7AF4BB2080
The listing shows the DS records that would be configured in the .at nameserver; it provides us with the keytag (14644), algorithm (8 for RSA/SHA256, see list), digest type (1 for SHA-1, 2 for SHA-256, see list) and the digest value.

AppArmor gets in the way

I had to limit UDP packet sizes to 512 in /etc/bind/named.conf.options, otherwise IPv6 showed transmission problems and delays -- not fully investigated yet, some related info
options {
  // ...
  edns-udp-size 512;
  max-udp-size 512;
Results and verification

DNSViz results for

See also DNSSEC-analyzer results.

posted at: 19:31 | path: /configuration | permanent link

Made with PyBlosxom