DNSSEC with bind 9(.11) on debian 10(.1)

Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).



# vi /etc/bind/named.conf.local
file “/var/lib/bind/example.com.zone.signed”;
key-directory “/var/lib/bind/”;
auto-dnssec maintain;
inline-signing yes;
to your domain

# vi /etc/bind/named.conf.options
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

The keys

# cd /var/lib/bind/
(because the directory must me writable by bind and /etc/bind/ shouldn’t)

create the zone signing key (zsk)
dnssec-keygen -a RSASHA256 -b 2048 example.com
create the key signing key (ksk)
dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.com

change permissions and the owner
(all keys must be readable by bind)
# chmod 644 Kexample.com*.key
# chmod 600 Kexample.com*.private
# chown bind Kexample.com*

you have now 4 keys – two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:
# for key in `ls Kexample.com*.key`
echo “\$INCLUDE $key”>> example.com.zone


sign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone


# /etc/init.d/bind9 restart


# dig DNSKEY example.com. @localhost +multiline
if everything went right you should see the two keys. if not, you have done something wrong.

some good DNSSEC testing sites:


when we ran the dnssec-signzone command apart from the .signed zone file, a file named dsset-example.com was also created, this contains the DS records.
# cat dsset-example.com.
go to the registrar of your domain and enter those DS records

Update zone files

    1. make changes to the example.com.zone file
    2. # rndc freeze example.com
    3. delete all example.com.signet* files (i have not found another way)
    4. resign the key
      # dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
    5. # rndc reload example.com
    6. # rndc thaw example.com


…are automatically signed with your domain


if you get an error like:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.
on dnsviz.net, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:
Disable Firewall Scrub (Diables the PF srubbing option with can sometimes interfere with NFS traffic.)
another solution, with pfsense, is here: https://melkfl.es/article/2018/07/edns/
another, but last option, is to reduce the udp-package-size in bind’s named.conf.options
# vi /etc/bind/named.conf.options
edns-udp-size 512;
max-udp-size 512;

If you like this write-up or I missed something, please let me know.

About missing_link

Nietzsche is dead.
This entry was posted in Debian, Linux, Security and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.