DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11

Sign Your Zone

So you've read all about the DNS Vulnerability and you want to sign your zone. You've come to the right place! = Sign Your Zone! = The DNSSEC-Tools package makes it easy to sign you zone quickly with as little hassle as possible. This describes the steps you need to go through, many of which you're already doing.

Don't like words? Watch the video!

Don't like words? Watch the video! If you'd rather watch a video, please see the Getting Started with DNSSEC video.

Power User Quick Start

Power User Quick Start. If you just want to get going without much help:
  • Install Everything
  • First run: zonesigner -genkeys -zone example.com db.example.com
  • Future runs: zonesigner -zone example.com db.example.com

Install DNSSEC-Tools

Install DNSSEC-Tools. Start by installing the DNSSEC-Tools package. This page should help you get it installed on your system. After installation, make sure you run dtinitconf after installation to help you set up your dnssec-tools.conf configuration file.

Start with your zone file

Start with your zone file. You'll need your zone file for your domain. Whether it's edited by hand or generated, it'll be the starting point. For our example purposes, we'll use the following very simple zone: Place this zonefile in a directory that you don't mind some other related files being placed with it. In the process of signing your zone, we'll need to generate some keys for you as well as store some other signing-related state-data.

Sign it the first time

Sign it the first time. We'll now use zonesigner to sign the zone file. Zonesigner does make use of the bind tools, so you'll need the bind software installed as well as perl. The first time, we'll need to add the -genkeys option to instruct zonesigner that we wish to generate new keys for the zone (since you don't have any yet). Simply run zonesigner as follows (the bold is the command that was run, and everything else is the output): We now have a new file in the same directory called example.com.signed. Take a look at it if you like. Note the time we highlighted in RED that shows when your new signatures expire. In other words: This is the single biggest changed to running a zone with DNSSEC support, so I'll say it again in a different way:

Resigning your zone

Resigning your zone. Every time you change the contents of your zone (you can continue using the original zone file, like our example.com file in this example). Even if you don't change you data, as mentioned above, you should resign your zone once a month. But, let's say we added a new www2 record to the example.com file: Then we simply run zonesigner again, but this time without the -genkeys option. That's it! Not much more to it! See below for other information, but you now know enough to get started. There are other very good DNSSEC kits to use but it doesn't get much simpler than this! = Further reading =

Other Options

Other Options. zonesigner has a lot of options and you may wish to use some of them. One worth mentioning here is the -zone option, which can be used if your file name doesn't match your zone name. For example, if your file name was db.example.com then you'd need to add the -zone flag to indicate the zone name:

Other Resources

Other Resources. The DNSSEC-Tools package has a number of other tools that will help zone administrators both with DNSSEC and with DNS in general.
  • The Authoritative Zone Administrator tutorial describes some of these other tools and how to use them.
  • The zonesigner page provides more details on the zonesigner tool itself.
  • The Recursive Server page describes how to configure your recursive server to start using DNSSEC in a recursive resolver in order to check the responses from other zones.