Configuring DNSSEC on your personal domain

Today I’ll be working out how to properly configure DNSSEC on a BIND9 installation, I’ll also make sure to give you all the needed instructions to properly verify if a specific domain is being correctly covered by DNSSEC itself. In addition to that a few more details will be provided about adding the relevant SSHFP‘s entries on your DNS zone files to be able to automatically verify the authenticity of your domain when connecting to it with SSH avoiding any possible MITM attack.

First of all, let’s create the Zone Signing Key (ZSK) which is the key that will be responsible to sign any other record on the zone file which is not a DNSKEY record itself:

Note: the dnssec-keygen binary file should be part of bind97 (RHEL 5) or bind (RHEL6) package according to yum whatprovides:



Then, create the Key Signing Key (KSK), which will be used to sign all the DNSKEY records:

Creating the above keys can take several minutes, when done copy the public keys to the zone file this way:

When done you can clean out the useless bits from the zone file and just leave the DNSKEY records (which are not commented out as you will notice)

An additional and cleaner way of accomplishing the above is to use the INCLUDE rule on the zone file itself as follows:

Choosing which method to use is really up to you.

Once that is done you can go ahead and sign the zone file. As of myself I’m making use of the do-domain script taken from the Fedora Infrastructure Team’s repositories. If you are going to use it yourself, make sure to adjust all the relevant variables to match your setup, especially keyspath, region_zones, template_zone, signed_zones and AREA. The do-domain script also checks your zone file through named-checkzone before signing it.

/me while editing the do-domains script with the preview of gnome-code-assistance!

/me while editing the do-domains script with the preview of gnome-code-assistance!

If instead you don’t want to use the script above, you can sign the zone file manually in the following way:

By default, the above command will append ‘.signed’ to the file name, you can modify that behaviour by appending the ‘-f’ flag to the dnssec-signzone call. The ‘-N INCREMENT’ will increment the serial number automatically making use of the RFC 1982 arithmetics while the ‘-e’ flag will extend the zone signature end date from the default 30 days to 35. (this way we can safely run a monthly cron job that will sign the zone file automatically)

You can make use of the following script to achieve the above:

Once the zone file has been signed just make sure to include it on named.conf and restart named:

When you’re done with that we should be moving ahead adding a DS record for our domain at our domain registrar. My example is taken from the known registrar.


Gandi’s DNSSEC interface

Select KSK (257) and (RSA/SHA-1) on the dropdown list and paste your public key on the box. You will find the public key you need on one of the*.key files, you should look for the DNSKEY 257 entry as ‘dig DNSKEY‘ shows:

Once that is done you should have a fully covered DNSSEC domain, you can verify that this way:

The result:

Bonus content: Adding SSHFP entries for your domain and verifying them

You can retrieve the SSHFP entries for a specific host with the following command:

When retrieved just add the SSHFP entry on the zone file for your domain and verify it:

Or directly add the above parameter into your /etc/ssh/ssh_config file this way:

And run ‘ssh -v’, the result you should receive:

That’s it! Enjoy!

Share on Google+0Tweet about this on TwitterShare on Facebook0Share on LinkedIn0Digg thisShare on Reddit0Share on StumbleUpon0Email this to someone