How to add DNSSEC Records in Bind/Named DNS server

[Sandeep B.]

In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors.

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

First install haveged to generate keys :

EL/centos/redhat

yum install -y haveged
systemctl enable haveged

In below command examples replace “domain.tld” with your domain name

Second Change the Directory to /var/named :

cd /var/named/

Third generate ZSK Key :

dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld

Fourth generate KSK key

dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld

Fifth adding keys to domain zone file

cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db

Sixth sign the zone file :

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db

Seventh only for el7/centos 7 edit named configuration file /etc/named.conf and add this line (don't add this line on el8/centos 8 stream/almalinux 8 and above as this will not work):

dnssec-lookaside auto;

** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it

Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld

to

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Centos/el/RHEL Reload/Restart the named service :

service named reload
or
systemctl reload named

and you’re done.

[Ling]

This does not work on Almalinux 8 anymore as bind cannot be restarted after the modification. Also

dnssec-lookaside auto;

is obsolete nowadays and leads to a syntax error.

Is there any solution for CWP as of today?

We are getting a lot of DNS attacks here and DNSSEC would really help a lot. We have the PRO version so this request is rather basic and trivial.

[Ling]

On 9/13/2023 at 3:51 PM, Ling said:

This does not work on Almalinux 8 anymore as bind cannot be restarted after the modification. Also

dnssec-lookaside auto;

is obsolete nowadays and leads to a syntax error.

Is there any solution for CWP as of today?

We are getting a lot of DNS attacks here and DNSSEC would really help a lot. We have the PRO version so this request is rather basic and trivial.

Now I can confirm that your recipe still works after removing the line

dnssec-lookaside auto;

from it, as it is not supported any longer.

The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now.

 

[Ling]

Now I can confirm that your recipe still works after removing the line

dnssec-lookaside auto;

from it, as it is not supported any longer.

The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now.

 

[Sandeep B.]

15 hours ago, Ling said:

Now I can confirm that your recipe still works after removing the line

dnssec-lookaside auto;

from it, as it is not supported any longer.

The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now.

 

great thanks for the information topic updated

[Ling]

Thanks for updating the recipe. You also should make clear that repeated use of this procedure will most likely lead to errors in the bind file and prevent bind from restart. Even the syntax checker can not find those errors. So this only works with a virgin config not using dnssec yet.

Best practice is to make a backup of all config files and roll back from there, if bind refuses to restart due to a typo in the domain name or something like that.

Or you write a script which does all this.

DNSSEC and mod_evasive helped significantly to reduce overload attacks on our server and is definitely a must for CWP, so you should move this thread over there.