Configuring DNSSEC On BIND9 (9.7.3) On Debian Squeeze/Ubuntu 11.10 - Page 4

6 Setting The DS Record At The Registry / Setting A DLV Record

If your parent zone is signed, you should set the DS record at the registry - this is preferred over using DLV records at a DLV provider such as

(You can find a list of signed TLDs on and

Unfortunately this task cannot be automated. Some registrar's allow you to upload your DS records (the contents of the /etc/bind/ file) through their web interface, while you can email it to others. Contact your registrar and ask if they support DNSSEC and what the preferred way is to submit your DS records.

If your parent zone isn't signed or your registrar has no way of submitting your DS records to the registry, you can use DLV. For example, you can go to, register and follow their instructions.


7 Key Rolling

server1 (master):

By default, keys (KSKs and ZSKs) expire after some time to make it harder for hackers to compromise them. You can set the expiry date with the -endtime switch when you run zonesigner together with the -genkeys switch. If you don't specify the -endtime switch, the value is taken from /etc/dnssec-tools/dnssec-tools.conf.

Because keys expire, we have to change them - this is called "key rolling". Fortunately, this task can be automated by a daemon called rollerd which takes care of creating new keys, signing zones, etc.

Go to /etc/bind:

cd /etc/bind

Create a file called all.rollrec that contains details about your signed zones, their keys, the contact person for the zone, etc.:

rollinit -zonefile /etc/bind/ -keyrec /etc/bind/ -admin [email protected] >> all.rollrec

Repeat this for every signed zone you have.

Then start the rollerd daemon as follows:

rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind

The service automatically goes to the background. Unfortunately it has no init script, so we have to add the command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:

vi /etc/rc.local
/usr/sbin/rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind


8 Automatic Zone File Checks With donutsd

server1 (master):

Finally we can set up automated zone file checks with donutsd (this is optional, but nice to have). donutsd is the damon belonging to the donuts command we used earlier. It runs in the background, checks your signed zones from time to time and sends an email if there's anything wrong.

First, we create the file /etc/bind/checkzones.txt - it has the format <path to signed zone file> <zone name> <email of contact person>:

vi /etc/bind/checkzones.txt

Add your zones, one zone per line:

/etc/bind/      [email protected]

Start the donutsd service afterwards:

donutsd -i /etc/bind/checkzones.txt &

Like rollerd, donutsd has no init script. Therefore we add the following command to /etc/rc.local (before the exit 0 line) to make it start automatically when the system boots:

vi /etc/rc.local
/usr/sbin/donutsd -i /etc/bind/checkzones.txt &

That's it! Have fun with your DNSSEC setup!



About The Author

Falko Timme is the owner of nginx-WebhostingTimme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

1 Comment(s)

Add comment


By: Popi

Very good tutorial which makes DNSSEC surprisingly easy to implement!