DNSSEC

July 4, 2021

As long as I'll be involved in technical work in the nearest future, I'll write a few technical notes. Basically, they are based on my notes I made for myself. Not sure they will be useful for you, my lonely visitor, but who knows...

This first note is about setting up DNSSEC. Don't expect a manual here, I'll just point you to a couple of resources and list essential things.

I'm using bind9 as a DNS server for all my domains and as a resolver in my home network, routing all DNS traffic via VPN abroad to avoid spoofing it in my homecountry. So, all instructions below are for bind.

Here is the basic manual: DNSSEC Howto for BIND 9.9+

Another good manual: An introduction to DNSSEC

I deployed my zones as described in the basic manual with algorithm 8, RSASHA256. The only exception is the location for keys. I used /etc/bind/keys instead of /var/cache/bind/keys because keys are more or less static essentials, closely related to the configuration, unlike some things you might discover in /etc, such as adjtime, font cache, etc.

How to check top level domain algorithm and key size (for .org zone in this example):

dig +multi org DNSKEY

Key types:

How to generate KSK:

dnssec-keygen -a RSASHA256 -b <ksk-size> -f KSK my.domain

How to generate ZSK:

dnssec-keygen -a RSASHA256 -b <zsk-size> my.domain

Validate: use delv utility instead of dig

How to get DS records (some registrars automatically generate them, but some registrars do not):

dnssec-dsfromkey <public-key-filename>

DNSSEC verifiers: