Bind 9.9 DNSSEC configuration

Share This:

Follow up to previous guide on Bind 9.9 configuration that can be found here:

Background reading on DNSSEC can be found here:

In order to successfully test DNSSEC you’d need:

1 master DNS server – referred as

1 resolver DNS server which would obtain zone details and communicate securely with the master using DNSSEC. – referred as

TIP: If working in virtual environment you can install bind and configure your master DNS server and then clone that virtual machine, change ip and adjust bind config to create easy slave server.

Note:  Take this guide with a pinch of salt as I haven’t got experience of this configuration in production environment.

Master DNS Server:

Firstly we have to enable dnssec in bind configuration file, add the following line after options:

Secondly, we have to create the keys ZSK (signs the zone) & KSK (signs ZSK).

In order to speed up the process of generating the keys, open a second ssh session and run something like find / this will create enough entropy to generate the keys.

Copy the key into the zone filed (first key generated, ending with with 07770)

Verify that the key is there and there are no issue with the zone syntax:

Restart bind:


Verify dnssec with dig:

Now we can sign the zone:

You should see:

Change /etc/named.conf to point to signed zone:

Current config:

change to:

Now we would need slave server but before that, here’s the output of important pieces of named.conf for both servers.

ns0 (master)

Slave ns1:

and the icing on the cake. Trusted key.

Your slave server should be fine getting all the zones transferred + you can run:

Still trying to learn more about DNSSEC and this appears to be working. Best to try next is to create another DNS server and try to inject in your configuration, without the key it should not work.


Leave a comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.