DNSSEC (Domain Name System Security Extensions) enhances the security of the Domain Name System by adding cryptographic signatures to DNS records. These signatures verify that a DNS record originates from its authoritative name server and hasn’t been altered, protecting against threats like man-in-the-middle attacks and DNS spoofing.

This guide walks you through generating and enabling DNSSEC on a BIND/Named server in Linux environments such as CWP, HestiaCP, Ubuntu, and CentOS.

Step 1: Install haveged for Key Generation

Before creating the required cryptographic keys, install haveged to ensure a strong source of entropy for the key-generation process.

For CentOS/Red Hat:

yum install -y haveged
systemctl enable haveged

For Ubuntu/Debian:

apt-get install -y haveged
systemctl enable haveged

Step 2: Generate the Zone Signing Key (ZSK)

The ZSK is used to sign individual DNS records. Replace domain.tld with your actual domain name when executing the command.

dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom domain.tld

Step 3: Generate the Key Signing Key (KSK)

The KSK is used to sign the ZSK, ensuring a chain of trust.

dnssec-keygen -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld

Step 4: Add Keys to the Domain Zone File

Append the generated keys to your domain zone file. Assuming the keys are stored in the current directory, use the following command:

cat Kdomain.tld.+008+*.key >> /var/named/domain.tld.db

Step 5: Sign the Zone File

Navigate to the directory containing your domain’s zone file and use the dnssec-signzone command to sign it.

cd /var/named/
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db

Step 6: Update the named.conf Configuration

Edit the /etc/named.conf file to enable DNSSEC features. Add the following line after dnssec-enable yes; and dnssec-validation yes;:

dnssec-lookaside auto;

Step 7: Configure the Domain Zone File

Update the zone configuration in /etc/named.conf to use the signed zone file. Change the file entry as follows:

Original Configuration:

zone "domain.tld" { type master; file "/var/named/domain.tld.db"; };

Updated Configuration:

zone "domain.tld" { type master; file "/var/named/domain.tld.db.signed"; };

Step 8: Reload the Named Service

Apply the changes by reloading the Named service:

service named reload

That’s It!

You have successfully configured DNSSEC for your domain in BIND/Named. By implementing DNSSEC, your DNS records are protected against tampering and provide a higher level of trust for your users.