In today’s internet infrastructure, DNSSEC (Domain Name System Security Extensions) plays a vital role in preventing forged or tampered DNS responses.
This guide walks you step-by-step through creating a new DNS zone and enabling DNSSEC signing to ensure data integrity and trust.
1. What Is DNSSEC?
DNSSEC adds cryptographic signatures to DNS records, allowing clients (resolvers) to verify that the response truly comes from the authorized DNS server.
Key components:
- ZSK (Zone Signing Key) – signs individual DNS records (A, MX, TXT, etc.)
- KSK (Key Signing Key) – signs the ZSK’s public key
- DS (Delegation Signer) – a hash of the KSK submitted to the parent zone, forming the trust chain
2. Prerequisites
Before starting:
- You own the domain name (e.g.,
example.com). - Your registrar supports DNSSEC and allows you to upload a DS record.
- You’re running a working BIND DNS server (this guide uses BIND as the example).
3. Create the Zone File
Create /etc/bind/db.example.com:
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025110501 ; Serial (YYYYMMDDnn)
3600 ; Refresh
900 ; Retry
1209600 ; Expire
86400 ) ; Minimum
IN NS ns1.example.com.
IN NS ns2.example.com.
ns1 IN A 203.0.113.1
ns2 IN A 203.0.113.2
@ IN A 203.0.113.10
www IN A 203.0.113.20
4. Add the Zone to BIND
Edit /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
auto-dnssec maintain;
inline-signing yes;
};
The
auto-dnssec maintainandinline-signing yesdirectives let BIND automatically handle key signing and rotation.
5. Generate DNSSEC Keys
In your key directory (e.g., /etc/bind/keys/):
cd /etc/bind/keys
# Generate Zone Signing Key (ZSK)
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
# Generate Key Signing Key (KSK)
dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE example.com
This will produce four files:
Kexample.com.+008+12345.key
Kexample.com.+008+12345.private
Kexample.com.+008+67890.key
Kexample.com.+008+67890.private
6. Sign the Zone
Reload BIND to trigger automatic signing:
rndc reload example.com
After signing, you should find:
/var/cache/bind/db.example.com.signed
This is your signed zone file.
7. Generate and Submit the DS Record
Create a DS record from the KSK:
dnssec-dsfromkey Kexample.com.+008+67890.key
Output example:
example.com. IN DS 67890 8 2 1234567890ABCDEF...
Submit this DS record to your domain registrar (parent zone) to complete the trust chain.
8. Verify DNSSEC Operation
After your registrar publishes the DS record, test with:
dig @8.8.8.8 example.com +dnssec
If the response includes RRSIG records and shows the “ad” (Authenticated Data) flag, DNSSEC is working correctly.
Alternatively, use:
delv example.com
to get detailed validation output.
9. Common Issues and Troubleshooting
| Symptom | Possible Cause |
|---|---|
| No RRSIG records | Zone not signed or BIND not reloaded |
| DS mismatch | DS record at registrar doesn’t match your KSK |
| Validation failure | Key rotation or trust chain broken |
| Zone signed but no DS | Works locally, but not trusted externally |
🔚 Conclusion
DNSSEC significantly enhances the security of your domain, ensuring DNS data integrity and authenticity.
For internal or private zones, you can skip the DS step.
However, for public domains, always complete the full trust chain to ensure end-to-end verification.