CentLinux

How to install Linux Server, DevOps & Ansible

How to Enable DNSSEC to Secure BIND DNS Server

Share on Social Media

Unlock the power of DNSSEC for your BIND DNS Server with our comprehensive tutorial. Learn how to enable DNSSEC and enhance the security and integrity of your DNS infrastructure. #centlinux #linux #dns

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by the DNS (Domain Name System) as used on IP (Internet Protocol) networks.

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

How does DNSSEC Work?

DNSSEC (Domain Name System Security Extensions) works by adding cryptographic signatures to DNS records, ensuring the authenticity and integrity of DNS data. Here’s how it works in simple terms:

  1. Signing Zone Data: The owner of a domain digitally signs their DNS zone data using cryptographic keys. This signature is added to the DNS records.
  2. Chain of Trust: DNSSEC uses a hierarchical “chain of trust” similar to SSL certificates. Each domain’s DNS records are signed with a private key, and the corresponding public key is distributed in a chain up to the root DNS servers.
  3. Validation: When a resolver (like your ISP’s DNS server or your computer’s resolver) requests DNS information, it also requests the DNSSEC signatures. The resolver then verifies the signatures using the public keys in the chain of trust.
  4. Trust Anchors: DNSSEC relies on trust anchors, which are the public keys of the root DNS servers. These keys are pre-configured in resolvers, establishing the starting point for verifying DNS data.
  5. Validation Results: If the DNSSEC signatures are valid all the way up to the root, the resolver knows the DNS data hasn’t been tampered with. It returns the DNS information to the client, indicating that it’s secure.

Overall, DNSSEC helps prevent DNS spoofing, cache poisoning, and other attacks by ensuring that the DNS responses received are authentic and haven’t been modified in transit.

Read Also: How to setup DNSSEC in Linux 7

How to enable DNSSEC for BIND DNS Server
How to enable DNSSEC for BIND DNS Server

Should I enable DNSSEC?

Whether to enable DNSSEC depends on your specific needs and circumstances. Here are some factors to consider:

  1. Security: DNSSEC significantly enhances the security and integrity of your DNS infrastructure by preventing various types of DNS attacks, such as DNS spoofing and cache poisoning. If security is a top priority for your organization, enabling DNSSEC is highly recommended.
  2. Compliance Requirements: In some industries or regions, regulatory compliance mandates the use of DNSSEC to protect against DNS-based attacks. Ensure that you understand any compliance requirements that may apply to your organization.
  3. Resource Availability: Enabling DNSSEC requires additional resources, including computational power for signing and verifying DNS records, as well as additional bandwidth for larger DNS responses due to the added cryptographic signatures. Evaluate whether your infrastructure can handle these requirements effectively.
  4. Compatibility: Ensure that your DNS software, resolver software, and DNS clients support DNSSEC. Most modern DNS software and clients do support DNSSEC, but it’s essential to verify compatibility before enabling it.
  5. Management Complexity: Managing DNSSEC involves handling cryptographic keys, signing zones, and maintaining trust anchors. Consider whether your team has the expertise and resources to manage DNSSEC effectively.

In summary, if security is crucial for your organization and you have the resources and expertise to manage DNSSEC effectively, enabling it is a prudent decision. However, ensure that you weigh the benefits against the associated complexities and requirements before making a decision.

Recommended Training: Introduction to Computer Networking – Beginner Crash Course from Rick Crisci

4606674 aa40
show?id=oLRJ54lcVEg&bids=1597309

Install Haveged on Rocky Linux

You have already configured a master and slave DNS servers by using BIND on Rocky Linux 8. In this article, you will enable DNSSEC on the same BIND DNS Server.

Connect with your Master DNS Server i.e. nameserver-01.centlinux.com as root user by using a ssh client.

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

You should install haveged before you configure DNSSEC BIND to speedup the process of key generation during configuration process.

Haveged software package is provided by third party yum repository, therefore, you need to install EPEL (Extra Packages for Enterprise Linux) yum repository on your Linux operating system.

# dnf install -y epel-release

Build yum cache for newly installed yum repository.

# dnf makecache

Now you can easily install havaged on your Linux server by executing dnf command.

dnf install -y haveged

Enable and start haveged.service.

systemctl enable --now haveged.service
71zQOCsflqL. AC UL160 SR160,160
Amazon Fire 7 Kids tablet (newest model) ages 3-7. Top-selling 7″ kids tablet on Amazon. Includes ad-free and exclusive content, easy parental controls, 10-hr battery, 16 GB, Purple
4.4 out of 5 stars(25286)
$109.99 (as of April 23, 2025 16:07 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Enable DNSSEC on Master DNS Server

To enable DNSSEC, you need to configure following settings on your Primary DNS Server (Master).

Edit named.conf configuration file in vim text editor.

vi /etc/named.conf

Locate and set following two directives in this file.

dnssec-enable yes;
dnssec-validation yes;

Add following directive just below the above settings.

dnssec-lookaside auto;

Create a Zone Signing Key (ZSK) by executing following commands at Linux Bash.

cd /var/named
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE centlinux.com

Output:

Generating key pair......+++++ ..........................................................+++++
Kcentlinux.com.+007+64074

Create a Key Signing Key (KSK) by executing following command at Linux Bash.

dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE centlinux.com

Output:

Generating key pair....................++++ .........................................................................................................++++
Kcentlinux.com.+007+60889

Include the generated keys in your zone file.

echo "$include Kcentlinux.com.+007+64074.key" >> /var/named/centlinux.com
echo "$include Kcentlinux.com.+007+60889.key" >> /var/named/centlinux.com

Sign the zone entries by using dnssec-signzone command.

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o centlinux.com -t centlinux.com

Output:

Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
centlinux.com.signed
Signatures generated:                       19
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.039
Signatures per second:                 476.692
Runtime in seconds:                      0.044

Above command created a signed zone file for your centlinux.com zone.

Check zone file for any possible errors.

named-checkzone centlinux.com /var/named/centlinux.com.signed

Output:

zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK

The above output shows that your zone file is now DNSSEC signed.

Edit your zone configuration file by using vim text editor.

vi /etc/named.conf.local

Update the file path, now it is pointing towards the signed zone file.

Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)

zone "centlinux.com" {
   type master;
   allow-transfer {192.168.116.129; };
   also-notify {192.168.116.129; };
   file "/var/named/centlinux.com.signed";

   # DNSSEC keys Location
   key-directory "/var/named/*.keys";

   # Publish and Activate DNSSEC keys
   auto-dnssec maintain;

   # Use Inline Signing
   inline-signing yes;
};

zone "116.168.192.in-addr.arpa" {
   type master;
   allow-transfer {192.168.116.129; };
   also-notify {192.168.116.129; };
   file "/var/named/116.168.192.in-addr.arpa";
};

Restart your named.service to apply changes.

systemctl restart named.service
813SAQWm7pL. AC UL160 SR160,160
The Ultimate Kali Linux Book: Harness Nmap, Metasploit, Aircrack-ng, and Empire for cutting-edge pentesting
4.6 out of 5 stars(70)
$41.80 (as of April 23, 2025 16:07 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Enable DNSSEC on Slave DNS Server

Now connect to your Secondary DNS Server (Slave) i.e. nameserver-02.centlinux.com as root user by using a ssh client.

Edit named.conf configuration file in vim text editor.

vi /etc/named.conf

Locate and set following two directives in this file.

dnssec-enable yes;
dnssec-validation yes;

Add following directive just below the above settings.

dnssec-lookaside auto;

Edit your zone configuration file by using vim text editor.

vi /etc/named.conf.local

Update the file path, now it is pointing towards the signed zone file.

Also include DNSSEC related settings therein. (Changes are highlighted in yellow color)

zone "centlinux.com" {
   type slave;
   masters { 192.168.116.128; };
   file "/var/named/centlinux.com.signed";

   # DNSSEC keys Location
   key-directory "/var/named/*.keys";

   # Publish and Activate DNSSEC keys
   auto-dnssec maintain;

   # Use Inline Signing
   inline-signing yes;
};

zone "116.168.192.in-addr.arpa" {
   type slave;
   masters { 192.168.116.128; };
   file "/var/named/116.168.192.in-addr.arpa";
};

Restart your named.service to apply changes.

systemctl restart named.service

After service restart the zone files will be fetched from Master DNS Server.

Check zone file for any possible errors.

named-checkzone centlinux.com /var/named/centlinux.com.signed
zone centlinux.com/IN: loaded serial 2022070402 (DNSSEC signed)
OK

The above output shows that your Zone file is now DNSSEC signed.

Also Read: 

Configure Authoritative DNS Server in CentOS 7
Configure Caching Only DNS Server in CentOS 7

Logitech G733 Lightspeed Wireless Gaming Headset with Suspension Headband, Lightsync RGB, Blue VO!CE mic technology and PRO-G audio drivers – Black
4.4 out of 5 stars(17507)
$106.84 (as of April 21, 2025 16:06 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Frequently Asked Questions (FAQs)

1. What problem does DNSSEC solve?

DNSSEC prevents DNS spoofing and cache poisoning by ensuring that DNS responses are authentic and haven’t been altered by attackers.

2. Is DNSSEC the same as DNS over HTTPS (DoH) or DNS over TLS (DoT)?

No. DNSSEC validates DNS data integrity, while DoH and DoT encrypt DNS queries for privacy. They serve different security purposes.

3. What are DNSSEC “keys” and “signatures”?

DNSSEC uses a Zone Signing Key (ZSK) to sign DNS records and a Key Signing Key (KSK) to validate those signatures, creating a chain of trust.

4. Do I need DNSSEC for my domain?

If your website handles sensitive data (e.g., banking, logins), DNSSEC adds an extra layer of security. For basic sites, it’s optional but recommended.

5. How do I enable DNSSEC?

Enable it through your domain registrar or DNS provider by generating keys and signing your DNS zone. Some providers offer one-click activation.

Final Thoughts

Enabling DNSSEC for your BIND DNS server is a crucial step in enhancing the security and integrity of your DNS infrastructure. DNSSEC (Domain Name System Security Extensions) ensures that DNS responses are authentic and have not been tampered with during transit. By implementing DNSSEC, you protect your domain from potential attacks, such as cache poisoning and spoofing, and provide an additional layer of trust for your users.

After configuring and enabling DNSSEC, it’s essential to test and verify that the DNSSEC records and signatures are functioning correctly. Regular monitoring of your DNS server’s logs and ensuring timely key rotations are critical practices to maintain the integrity and reliability of your DNSSEC setup. With DNSSEC enabled, your BIND DNS server will provide secure and trustworthy DNS resolution, reinforcing the overall security of your network infrastructure.

Your Linux servers deserve expert care! I provide reliable management and optimization services tailored to your needs. Discover how I can help on Fiverr!

Looking for something?

Latest Articles

Leave a Reply