This is a minimal howto to get DNSSEC running with bind 9 on jessie. We assume an "clean", freshly installed bind9 here. I wrote this HOWTO to document how I got my first signed zone.

Initial setup

Make separate directory for keys and zones, let group bind write in zones:

cd /etc/bind
mkdir zones keys
chmod g+w zones
cd zones

Now create file

$TTL    6400
@       IN      SOA     ns1.example.mytld. dnsmaster.example.mytld. (
                        2016080201 ;Serial
                        8H      ; refresh
                        2H      ; retry
                        1W      ; expire
                        2H      ; TTL
        IN      NS      ns1.example.mytld.
ns1     IN      A
www     IN      A

Add the following section to named.conf.local

zone "example.mytld" {
        type master;
        file "/etc/bind/zones/";
        allow-query {any; };
        allow-transfer {; };

Reload bind and check whether querying the zone works:

dig @ example.mytld NS

The signing part


cd keys
dnssec-keygen -a RSASHA256 -b 2048 -3 example.mytld
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.mytld
chmod g+r *
cd ..

to generate the keys and let BIND read the keys.


        auto-dnssec maintain;
        inline-signing yes;

to the zone "example.mytld" section in named.conf.local.


         key-directory "/etc/bind/keys/";

to the options section in named.conf.options


rndc loadkeys example.mytld 
NSECSEED=$(printf "%04x%04x" $RANDOM $RANDOM)
rndc signing -nsec3param 1 0 10 $NSECSEED example.mytld.

to let bind sign the zone.

Verify that the zone works by executing

dig @ +dnssec example.mytld AXFR

You should see lines containing "RRSIG" and "NSEC3", and long hex-strings.

Main author: Willi Mann <>