How to validate DNSSEC signed record with dig?

Spain, Dr. Jeffry A. spainj at countryday.net
Wed Feb 8 16:25:01 UTC 2012 

William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather than explicitly signing the zone with dnssec-signzone. I believe I recall that you are using bind 9.8, so this should work for you as well. Here's something you can try:

In your bind configuration use the following zone stanza:
zone "toto.com" {
	type master;
	file "/var/lib/bind/toto.com/toto.com.db";
	key-directory "/var/lib/bind/toto.com";
	auto-dnssec maintain;
};

You will probably want to add some access control to this as well.

Now in the directory /var/lib/bind/toto.com (or the directory of your choice as long as it is specified in the configuration above), place all of your *.key and *.private files. Also place your unsigned zone file toto.com.db with contents as follows (Omit the DNSSEC info you currently have at the bottom):

$ORIGIN .
$TTL 17200      ; 4 hours 46 minutes 40 seconds
toto.com.     IN SOA  ns10.boom.fr. postmaster.boom.com. (
                                2012020802 ; serial
                                216000     ; refresh (2 days 12 hours)
                                3600       ; retry (1 hour)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                172800     ; minimum (2 days)
                                )
                        NS      ns.boom.fr.
                        NS      ns2.boom.fr.
                        A       217.128.32.85
$ORIGIN toto.com.
*                       A       217.128.32.85

If you are running bind under a UID other than root, make sure all the files are readable, and that the zone file is writable, by that UID. Restart the bind service, and bind will sign your zone using the keys you have provided as long as their metadata is timed appropriately, i.e. Publish and Activate dates are in the past, and Inactive and Delete dates in the future. To see the metadata, execute 'dnssec-settime -p all your_key_file_name.private'. If you need to change the timing metadata, use dnssec-settime again. See the ARM for details. Caution: dnssec-setime will 'chmod 600' your private key files.

I have been successful with this approach, and hope it works well for you also. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list