Using the root DNSSEC key in BIND 9 resolvers

16 Jul 2010
Michael Graff

To use the signed root zone in DNSSEC validation in your BIND 9 resolvers, you must be running BIND 9.6.2 or higher. Earlier versions do not support the required algorithms to enable validation using the root zone's key. It is strongly recommended you run BIND 9.7 to use the automatic key updating functionality.

The recommended procedure to use differs for the BIND 9.6 series and later versions, including BIND 9.7. For BIND 9.6.2 and later versions of the BIND 9.6 series, you must use a trusted-keys statement, which must be manually updated when the root's key changes. For BIND 9.7, the key can be automatically tracked by BIND using a managed-keys statement.

For all supported versions of BIND 9, this section may be added to enable DNSSEC validation. It is not necessary to add this, but it puts in a reminder of how to disable validation should a simple on-off switch be needed.

options {
   dnssec-validation yes;  # enable DNSSEC validation
};

For BIND 9.7 and later versions, using a managed-key allows automatic tracking of the key using a protocol known as RFC-5011.

managed-keys {
  "." initial-key 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";
};

For BIND 9.6.2 and later versions of the BIND 9.6 series, this will configure the current root key. Manual updating will be necessary when this key updates, or nearly all DNS requests made to this server will begin failing.

trusted-keys {
  "." 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";
};

We hope to make this necessary configuration easier in future releases of BIND 9.

Share this

Comments

Comment by Anonymous (not verified) on 27 Jul 2010

what else should i do now

Comment by jinmei tatuya (not verified) on 29 Jul 2010

I saw a comment in a different forum that this article should note
that from a stricter security point of view the example trust anchors
shouldn't naively be copied to named.conf and its validity must be
confirmed via some outbound mechanism/procedure.

Maybe you intentionlly omit such level of details to avoid possible
distruction, but I agree this point is worth noting.

Comment by D. Stussy (not verified) on 01 Aug 2010

BIND should not be installing a trusted key for the DLV into "bind.keys" anymore. It should instead install the key for the signed root. The key for the DLV is unnecessary, as with a signed root, a signed .ORG TLD, and the domain isc.org and its subzone, dlv.isc.org, also being signed and delegated via DS-RRs, there now exists a verifiable signed delegation from the root to the DLV zone, thus making the DLV key unnecessary.

Therefore, please change BIND's installation to install the root DNSSEC key as above (i.e. trusted for 9.6 and managed for 9.7 and later) and omit the DLV's key.

Comment by Anonymous (not verified) on 01 Aug 2010

I am new to BIND DNS, and I am reading constantly to try to understand. I am assuming the "managed-keys" is added to "named.conf.options". If I am wrong please correct me. I am using Ubuntu 10.04 LTS by the way. Do I use the key from "bind.keys"?

Comment by Sree (not verified) on 27 Aug 2010

RFC #4033 states that trust anchor can be a DS RR hash of a DNSKEY RR. Does BIND support entering such a trust anchor directly in the configuration file?

Comment by mgraff on 30 Nov 2010

We don't currently support DS trust anchors, but it is on our feature list. I'm not certain when it will be added to the task list for a development sprint, however.

Is there a reason DS record format is preferred over the entire DNSKEY? DS records are shorter, but technically they are a reference to a key, rather than the key itself.

Comment by Anonymous (not verified) on 01 Feb 2011

Is the root key above for BIND 9.6.2 current?? The "http://data.iana.org/root-anchors/root-anchors.xml" website lists the key somewhat different format (49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5). Is this key at "data.iana.org" website the key lists for BIND 9.6.2 above?