Linux‎ > ‎bind‎ > ‎


Implementing DNSSEC using Bind

Modifying a Signed Zone

All signed zones are located in /var/named/dnssec_zones. To modify a signed zone, simply modify the unsigned zone file in the same directory (e.g. /var/named/, increment its time-stamp then sign the zone again with the existing keys using the following commands:

cd /var/dnssec
dnssec-signzone -a -k <KSK filename, without extension> -o -e +7776000 /var/named/dnssec_zones/ <ZSK filename, without extension>

Note that you can find which key is the key signing key (KSK) and which one is the zone signing kye (ZSK) by looking at the includes in the unsigned zone (e.g. /var/named/

After signing the new zone, you can simply reload the signed zone by runing:

cd /var/named/dnssec_zones
reloadzones <--- notice the .signed - it won't reload if you just do .gov

Signing a Zone

Here in this example, I sign You can use the same method to sign any zone for DNSSEC implementation.


cd /var/dnssec
dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 2048 -n ZONE
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -e -n ZONE
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -e -n ZONE

(yes, run it twice)

*Here is what's returned*

Copy **.key files to /var/named/dnssec_keys/

*Sign the zone*
vim /var/named/

Add the following at the end of the zone and increment the timestamp of the zone:

$include /var/named/dnssec_keys/ ; KSK
$include /var/named/dnssec_keys/ ; ZSK
$include /var/named/dnssec_keys/ ; pre-published ZSK

cd /var/dnssec
dnssec-signzone -a -k -o -e +7776000 /var/named/

*Here is whats returned*


*Move both Zones (original and signed) to /var/named/dnssec_zones*

mv /var/named/* /var/named/dnssec_zones

*Load the signed Zone*

vim /var/named/zones.dnssec

add the zone section for with the following:

zone "" {
type master;
file "dnssec_zones/";

Remove the zone section for from /var/named/zones.main

move the regular zone to dnssec_zones folder

cd /var/named
svn move dnssec_zones/

Customer needs /var/dnssec/ to enable DNSSEC with the zone root servers:

$ORIGIN . 600 IN DNSKEY 257 3 5 ( AwEAAcacKLXhmESZgCL7OlqNhH7W/FMdVndm zzxjJ3nzbvZyhasdfsdfsdfsdfdfdCMPtERd i6hi2bn5wasdfasdfasdfasdfasdfoh6M5fE nOGQkotJ976U8XpABg6SVlAPn+avTtG8zaJQ I63aJEx6O1/dhZ7ATTgzUxvuWmJQipcgApxZ 158Cy175QsAjJtR2QBg+QYLCRfPWpXEYnFhI 7DtAasdfasdfasdfasVxLQASgv4T0dmeyMFf 7VC9dc9kXDasdfsdfsadfsadfasdfaDKMaFb ZiaasdfasdfasdfasdfasdfasdfasdfasL0m FfoOI1uYUM9cs16wRys6qXU= ) ; key id = 1729

*If the bind9 server is not setup for dnssec yet do the following*

vim /etc/bind/named.conf.options

in the in the 'options' section add:

dnssec-enable yes;

then restart bind

/etc/init.d/bind9 restart

Now you are ready to upload the keyset you generated to the parent DNS delegate.

Rollover ZSK


Rolling over ZSK for

Change the following lines in /var/named/dnssec_zones/

$include /var/named/dnssec_keys/ ; KSK
$include /var/named/dnssec_keys/ ; ZSK
$include /var/named/dnssec_keys/ ; pre-published ZSK


$include /var/named/dnssec_keys/ ; KSK
$include /var/named/dnssec_keys/ ; Standby ZSK
$include /var/named/dnssec_keys/ ; ZSK

Update the timestamp then sign the zone with the Standby ZSK (which would make it the active ZSK) using this command:

# cd /var/dnssec
# dnssec-signzone -a -k -o -e +15552000 /var/named/dnssec_zones/ \

Regenerating Keys

  1. Generate new keys for the domain in question
    cd /var/dnssec dnssec-keygen \-r /dev/urandom \-f KSK \-a RSASHA1 \-b 2048 \-n ZONE [domain.tld] dnssec-keygen \-r /dev/urandom \-a RSASHA1 \-b 1024 \-e \-n ZONE [domain.tld] dnssec-keygen \-r /dev/urandom \-a RSASHA1 \-b 1024 \-e \-n ZONE [domain.tld] cp [domain.tld]*.key /var/named/dnssec_keys/
  2. Generate new zonefile (do not overwrite existing zone)
    cp /var/named/db.[domain.tld] /var/named/new.[domain.tld]
  3. Update new zone file (vim /var/named/new.domain.tld)
    Replace the existing key include lines as shown below with the new output produced by the keys generated in step #1
    $include /var/named/dnssec_keys/K[domain.tld].+005+01729.key ; KSK $include /var/named/dnssec_keys/K[domain.tld].+005+15032.key ; ZSK $include /var/named/dnssec_keys/K[domain.tld].+005+20027.key ; pre-published ZSK
  4. Sign the new zone file
    cd /var/dnssec dnssec-signzone \-a \-k K[domain.tld].+005+01729 \-o [domain.tld] \-e \+7776000 /var/named/new.[domain.tld] K[domain.tld].+005+15032 mv /var/named/new.[domain.tld].signed /var/named/dnssec_zones
  5. Provide the customer with the updated public key from /var/dnssec/keyset-domain.tld.signed

  6. Schedule cut over from old zonefile to new zonefile, this should be done in concert with the customer's update of the registrar's TLD copy
    mv /var/named/dnssec_zones/new.[domain.tld].signed /var/named/dnssec_zones/db.[domain.tld].signed rndc reload [domain.tld]