ISC offers support for our products. Read more dismiss

To configure and use DLV, you must run BIND versions 9.4.3-P2, 9.5.1-P2, 9.6.1, or later versions. You must include OpenSSL support when compiling. Most system-supplied BIND 9 releases support OpenSSL automatically.

Authoritative Service

In order to provide DNSSEC data, a server must be properly configured. Each secured zone must also have DNSSEC records added, and be signed.

Configuring BIND 9 to serve DNSSEC zones

To serve DNSSEC-signed authoritative zones, each master and slave server must be configured to respond properly to DNSSEC queries. This need only be done once per server.

If you have secondary servers (through a hosting service or otherwise) or are using servers you do not directly control, verify that they are configured for DNSSEC service before adding your entries into DLV. The SNS@ISC secondary hosting service fully supports DNSSEC.

  1. Enable DNSSEC in your BIND 9 installation.

    Enabling DNSSEC does not affect the server behavior for unsecured zones.

    The BIND instances that will be used to serve the signed zone must have been compiled with OpenSSL to become DNSSEC enabled.

    Include the following line in your BIND named.conf file to activate DNSSEC:

    options {
     dnssec-enable yes;
    };
    

Creating Zone Keys and Signing Zones

  1. Create Zone Keys

    Create an initial KSK (Key Signing Key) and ZSK (Zone Signing Key) for each zone to be secured. These keys have no expiration times, and can be used for as long as desired. The private parts must be kept private and secure.

    In the example below, we show the creation of a 2048-bit KSK and a 1024-bit ZSK. You should carefully evaluate if these lengths are adequate for your needs. The KSK is used to sign only a small number of records within your zone, while the ZSK is used to sign all records. Making the KSK longer can hurt interoperability with some older servers. Making the ZSK longer will increase the size of every signature, which will make your zone file much larger and will make the responses from your server be larger.

    Be certain to save a copy of these keys (public and private) in a secure backup location to protect against hard drive failures.

    To create the KSK:

    dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 2048 -n ZONE example.com
    

    To create the ZSK:

    dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE example.com
    
  2. Insert zone keys into your zone

    Your zone must include the keys it is being signed with. This can be done directly (cut and paste) or indirectly (with $INCLUDE statements.) We use $INCLUDE and recommend it as the best approach.

  3. Sign the zones

    For each zone, create a signed zone file, including DLV records:

    dnssec-signzone -l dlv.isc.org -r /dev/random -o example.com \
     -k Kexample.com.+005+aaaaa example.com Kexample.com.+005+bbbbb.key
    

    The argument to -k is the KSK. The ZSK is the last argument. aaaaa and bbbbb will need to be substituted by the corresponding key IDs for your keys.

  4. Upload your DNSKEY records to DLV.

    Upload the KSK key generated above. You do this by using the “Manage Zones” menu on this website. (log in to manage zones)

Configuring BIND 9 Resolvers to use DLV

Follow these steps to configure your BIND 9 resolver to use DLV:

  1. Install BIND 9 with OpenSSL.

    Compile and install a supported BIND version with OpenSSL support.

    To configure and use DLV, you must run BIND versions 9.4.3-P2, 9.5.1-P2, 9.6.1, or later versions. You must include OpenSSL support when compiling. Most system-supplied BIND 9 releases support OpenSSL automatically.

  2. Download dlv.isc.org's key.

    Get the dlv.isc.org key from ISC's website

    It is a good idea to take the time verify the PGP signature on this download. You are going to be building chains of trust using this key, and it's a good idea to verify that the key itself is authentic.

  3. Configure dlv.isc.org as a trusted key.

    Include the downloaded key in a trusted-keys statement in named.conf. Be certain to use the version you downloaded above; this key, while correct at the time this article was written, may have changed.

    trusted-keys {
     dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+ju
     oZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58
     dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0
     PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTw
     FlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOw
     IeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZ
     fSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
    };
    
  4. Enable DNSSEC at run time in named.conf:
    options {
     /* DNSSEC configuration */
     dnssec-enable yes; // All BIND 9 versions
     dnssec-validation yes; // BIND 9.4.3-P2 and later
    };
    
  5. Enable DLV

    Tell BIND 9 to use DLV, in addition to normal DNSSEC validation:

    options {
     dnssec-lookaside . trust-anchor dlv.isc.org.;
    };
    
  6. Configure logging

    Configure DNSSEC logging to assist in debugging any DNSSEC problems.

    logging {
     channel dnssec_log {
     file "log/dnssec" size 20m;
     print-time yes;
     print-category yes;
     print-severity yes;
     severity debug 3;
     };
     category dnssec {
     dnssec_log;
     };
    };
    
  7. Start BIND 9

    BIND 9 will try to DNSSEC-validate the answers from now on using DLV if "normal" DNSSEC path following fails.

  8. Test

    Ensure that resolving of both secured and unsecured zones continues to function.

    dig +dnssec @127.0.0.1 example.com. soa
    dig @127.0.0.1 example.com. soa
    dig @127.0.0.1 your.zone. soa