Using the root DNSSEC key in BIND 9 resolvers

To use the signed root zone in DNSSEC validation in your BIND 9 resolvers, you must be running BIND 9.6.2 or higher. Earlier versions do not support the required algorithms to enable validation using the root zone’s key. It is strongly recommended you run BIND 9.7 to use the automatic key updating functionality.

The recommended procedure to use differs for the BIND 9.6 series and later versions, including BIND 9.7. For BIND 9.6.2 and later versions of the BIND 9.6 series, you must use a trusted-keys statement, which must be manually updated when the root’s key changes. For BIND 9.7, the key can be automatically tracked by BIND using a managed-keys statement.

For all supported versions of BIND 9, this section may be added to enable DNSSEC validation. It is not necessary to add this, but it puts in a reminder of how to disable validation should a simple on-off switch be needed.

options {
   dnssec-validation yes;  # enable DNSSEC validation
};

For BIND 9.7 and later versions, using a managed-key allows automatic tracking of the key using a protocol known as RFC-5011.

managed-keys {
  "." initial-key 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";
};

For BIND 9.6.2 and later versions of the BIND 9.6 series, this will configure the current root key. Manual updating will be necessary when this key updates, or nearly all DNS requests made to this server will begin failing.

trusted-keys {
  "." 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";
};

We hope to make this necessary configuration easier in future releases of BIND 9.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Protected with IP Blacklist CloudIP Blacklist Cloud

What is 3 + 7 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)