Comments on Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10

Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 This guide explains how you can configure DNSSEC on BIND9 (version 9.7.3 that comes with Debian Squeeze/Ubuntu 11.10) on Debian Squeeze and Ubuntu 11.10. It covers how to enable DNSSEC on authoritative nameservers (master and slave) and on resolving nameservers, creation of keys (KSKs and ZSKs), signing of zones, key rolling with rollerd, zone file checking with donuts, creation of trust anchors, using DLV (DNSSEC look-aside validation), and getting your DS records into the parent's zone.

6 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Norbert Seibert

Seems to me as if the IP addresses for NS1 and NS2 are backwards.

In the example NS1 has 192.168.0.100 as master.

                             NS2 has 192.168.0.101 as slave.

Later on the master shows as 192.168.0.101 and the slave is 192.168.0.100.

Actually no big deal, however someone that stricly follows the howto will possibly wind up in the dark.

 Cheers

By: Raman

Setting up DNSSEC on my Nameservers was actually a breeze with this excellent tutorial. Thanks a million.

By: coldje

The example file:  pri.example.org  sometimes shows example.com and other times example.org.  Which is it?  This is so confusing.  Where's the example sec.example.org file?

By: tom

nice howto. I tried it on an server with ispconfig3. Unfortunately ISPconfig delets some same manual configs when any dns zone file was changed. Any ideas to solve that?

By: Martin Brampton

After the first run of zonesigner, running donuts reported an error "bad NSEC data, line 307" (the line number depends on the data in the zone). This appears to be a known problem described at https://bugs.launchpad.net/ubuntu/+source/dnssec-tools/+bug/1215093. It can be resolved by adding an extra parameter to the zonesigner command: -szopts "-O full".  The example command from the tutorial becomes:

zonesigner -szopts "-O full" -genkeys -usensec3 -zone example.org pri.example.org

Unfortunately, I then ran into a further known problem with donuts, which gives a fatal error: Unknown method 'first'. This is described at http://www.dnssec-tools.org/pipermail/users/2014-August/000194.html.  As I experienced this on Raspbian Jessie, it is not certain that the problem has been fixed in Debian 8.  Or it could be that Raspbian is behind.

By: Ivar

 zonesigner -genkeys -usensec3 -zone example.org pri.example.org

Command does not work for me, please help