To configure and use DLV, you must run BIND versions 9.4.3-P2, 9.5.1-P2, 9.6.1, or later versions. You must include OpenSSL support when compiling. Most system-supplied BIND 9 releases support OpenSSL automatically.

Authoritative Service

In order to provide DNSSEC data, a server must be properly configured. Each secured zone must also have DNSSEC records added, and be signed.

Configuring BIND 9 to serve DNSSEC zones

To serve DNSSEC-signed authoritative zones, each master and slave server must be configured to respond properly to DNSSEC queries. This need only be done once per server.

If you have secondary servers (through a hosting service or otherwise) or are using servers you do not directly control, verify that they are configured for DNSSEC service before adding your entries into DLV. The SNS@ISC secondary hosting service fully supports DNSSEC.

  1. Enable DNSSEC in your BIND 9 installation.

    Enabling DNSSEC does not affect the server behavior for unsecured zones.

    The BIND instances that will be used to serve the signed zone must have been compiled with OpenSSL to become DNSSEC enabled.

    Include the following line in your BIND named.conf file to activate DNSSEC:

    options {
        dnssec-enable yes;

Creating Zone Keys and Signing Zones

  1. Create Zone Keys

    Create an initial KSK (Key Signing Key) and ZSK (Zone Signing Key) for each zone to be secured. These keys have no expiration times, and can be used for as long as desired. The private parts must be kept private and secure.

    In the example below, we show the creation of a 2048-bit KSK and a 1024-bit ZSK. You should carefully evaluate if these lengths are adequate for your needs. The KSK is used to sign only a small number of records within your zone, while the ZSK is used to sign all records. Making the KSK longer can hurt interoperability with some older servers. Making the ZSK longer will increase the size of every signature, which will make your zone file much larger and will make the responses from your server be larger.

    Be certain to save a copy of these keys (public and private) in a secure backup location to protect against hard drive failures.

    To create the KSK:

    dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 2048 -n ZONE

    To create the ZSK:

    dnssec-keygen -r /dev/random  -a RSASHA1 -b 1024 -n ZONE
  2. Insert zone keys into your zone

    Your zone must include the keys it is being signed with. This can be done directly (cut and paste) or indirectly (with $INCLUDE statements.) We use $INCLUDE and recommend it as the best approach.

  3. Sign the zones

    For each zone, create a signed zone file, including DLV records:

    dnssec-signzone  -l -r /dev/random -o \

    The argument to -k is the KSK. The ZSK is the last argument. aaaaa and bbbbb will need to be substituted by the corresponding key IDs for your keys.

  4. Upload your DNSKEY records to DLV.

    Upload the KSK key generated above. You do this by using the “Manage Zones” menu on this website. (<%= link_to 'log in to manage zones', login_path %>)

Configuring BIND 9 Resolvers to use DLV

Follow these steps to configure your BIND 9 resolver to use DLV:

  1. Install BIND 9 with OpenSSL.

    Compile and install a supported BIND version with OpenSSL support.

    <%= required_software_versions %>
  2. Download's key.

    Get the key from ISC's website

    It is a good idea to take the time verify the PGP signature on this download. You are going to be building chains of trust using this key, and it's a good idea to verify that the key itself is authentic.

  3. Configure as a trusted key.

    Include the downloaded key in a trusted-keys statement in named.conf. Be certain to use the version you downloaded above; this key, while correct at the time this article was written, may have changed.

    trusted-keys { 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+ju
  4. Enable DNSSEC at run time in named.conf:
    options {
       /* DNSSEC configuration */
       dnssec-enable yes;  // All BIND 9 versions
       dnssec-validation yes; // BIND 9.4.3-P2 and later
  5. Enable DLV

    Tell BIND 9 to use DLV, in addition to normal DNSSEC validation:

    options {
        dnssec-lookaside . trust-anchor;
  6. Configure logging

    Configure DNSSEC logging to assist in debugging any DNSSEC problems.

    logging {
      channel dnssec_log {
          file "log/dnssec" size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug 3;
      category dnssec {
  7. Start BIND 9

    BIND 9 will try to DNSSEC-validate the answers from now on using DLV if "normal" DNSSEC path following fails.

  8. Test

    Ensure that resolving of both secured and unsecured zones continues to function.

    dig +dnssec @ soa
    dig @ soa
    dig @ soa