This is a minimal howto to get DNSSEC running with bind 9 on jessie. We assume an "clean", freshly installed bind9 here. I wrote this HOWTO to document how I got my first signed zone.

Initial setup

Make separate directory for keys and zones, let group bind write in zones:

cd /etc/bind
mkdir zones keys
chmod g+w zones
cd zones

Now create file example.mytld.zone

$TTL    6400
@       IN      SOA     ns1.example.mytld. dnsmaster.example.mytld. (
                        2016080201 ;Serial
                        8H      ; refresh
                        2H      ; retry
                        1W      ; expire
                        2H      ; TTL
                        )
        IN      NS      ns1.example.mytld.
ns1     IN      A       127.0.0.1
www     IN      A       192.168.0.1

Add the following section to named.conf.local

zone "example.mytld" {
        type master;
        file "/etc/bind/zones/example.mytld.zone";
        allow-query {any; };
        allow-transfer { 127.0.0.1; };
};

Reload bind and check whether querying the zone works:

dig @127.0.0.1 example.mytld NS

The signing part

Execute

cd keys
dnssec-keygen -a RSASHA256 -b 2048 -3 example.mytld
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.mytld
chmod g+r *
cd ..

to generate the keys and let BIND read the keys.

Add

        auto-dnssec maintain;
        inline-signing yes;

to the zone "example.mytld" section in named.conf.local.

Add

         key-directory "/etc/bind/keys/";

to the options section in named.conf.options

Execute

rndc loadkeys example.mytld 
NSECSEED=$(printf "%04x%04x" $RANDOM $RANDOM)
rndc signing -nsec3param 1 0 10 $NSECSEED example.mytld.

to let bind sign the zone.

Verify that the zone works by executing

dig @127.0.0.1 +dnssec example.mytld AXFR

You should see lines containing "RRSIG" and "NSEC3", and long hex-strings.

Main author: Willi Mann <willi@debian.org>