How to add DNSSEC Records in Bind/Named – Linux/CWP/HestiaCp/Ubuntu/Centos

by Sandeep B.

In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors.

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

First install haveged to generate keys :
EL/centos/redhat

yum install -y haveged
systemctl enable haveged

Ubuntu/Debian

apt-get install -y haveged
systemctl enable haveged

In below command examples replace “domain.tld” with your domain name

Second generate ZSK Key :

dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom domain.tld

Third generate KSK key

dnssec-keygen -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld

Fourth adding keys to domain zone file

cat Kdomain.tld.+008+*.key >> /var/named/domain.tld.db

Fifth sign the zone file :

cd /var/named/
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db

Sixth edit named configuration file /etc/named.conf and add this line

dnssec-lookaside auto;

** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it

Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld

to

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Reload/Restart the named service

service named reload

and you’re done.

If this post helps you in any way please consider a donation

Donate with PayPal :

md-donate

You may also like

2 comments

Rene July 25, 2021 - 7:32 am

Hi, thanks for the tutorial.
Does this only works if i use CWP as my DNS / Zone Manager?
I use my Domain Registrar site to manage DNS and add the entries there because i don’t wanna open 53 on my server.

Will this still work and i can add the new entries on my Registrars site?

Thanks

Reply
Sandeep B. July 25, 2021 - 9:55 am

Hi, it will not work if you use external dns.

Reply

Leave a Comment