How to sign your zones

I wrote a Makefile to take care of all the annoying work for me.

How to do it the Industrial Strength way

You should look at opendnssec, and industrial strength system, that manages the Key and Signing Policies (KASP), and key lifetimes. It uses PKCS#11 modules for key storage, which means you can read my doc for using a TPM as a HSM, or just use SoftHSM.

How to do it the hard way

Generate a KSK (Key Signing Key). This is a key you keep secure, locked in a box somewhere, preferably offline.

 /usr/sbin/dnssec-keygen \
-a RSASHA256        \
-b 2048             \
-f KSK              \
-n ZONE             \
-k ${key_directory} \

Also create a ZSK (Zone Signing Key). This is the key you use to sign the zone with. It will be signed with the KSK. This key should be rotated more often, and thus can be shorter (and thus not take up so much space in the DNS packet).

 /usr/sbin/dnssec-keygen \
    -a RSASHA256         \
    -b 1024              \
    -n ZONE              \
    -k ${key_directory}  \

Now you have your keys, sign the zone:

  /usr/sbin/dnssec-signzone  \
     -a                     \
     -N unixtime            \
     -K ${key_directory}    \
     -d ${dskeys_directory} \
     -o ${ZONE_ORIGIN}      \
     -S                     \

You should end up with a file called ${ZONE_FILE}.signed, configure bind to use this file instead of the original, sudo /usr/sbin/rndc reload

Wait until your signed zone has propergated to all your nameservers, verify with dig +dnssec @ns1.${ZONE_ORIGIN} ${ZONE_ORIGIN} soa or equivilent.

Take the data from ${dskeys_directory}/dskey-${ZONE_ORIGIN}. and give it to your parent zone for them to include.

IMPORTANT: Remember to resign your zones frequently (eg: from cron daily), the RRSIG records contain an expiry time for the signature (it's in the format of YYYYMMDDhhmmss, so it's easy to see). Don't let it expire. I have make -B -C /etc/bind in an executable file in /etc/cron.daily.

You're now done.


You can put SSH FP records in your zone to complete the trust delegation all the way to your ssh server.

DANE would also be cool, but afaik no browsers currently support it. Boo.