-
Print
-
DarkLight
-
PDF
DNSSEC Validation the Easy Way
Article summary
Did you find this summary helpful?
Thank you for your feedback
Problem:
You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest.
Solution:
ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the root zone KSK (key signing key). To activate validation using this trust anchor requires only one non-default setting in your named.conf
options statement:
options { ... dnssec-validation auto; ... };
With that added, rndc reconfig
and you are done.
Note when using multiple views
The
dnssec-validation auto;
option may also be set per view, where a view is providing recursive service. When sharing a cache among views with attach-cache
, the option must be the same for all affected views.
How do I override the built-in trust anchor?
Simply download this file: https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11. Save it as your
bindkeys-file
(default path/filename is "/etc/bind.keys"). If you have an incorrect or outdated managed-keys database in your named working directory (or as changed with the managed-keys-directory
option), delete the files called managed-keys.bind
and managed-keys.bind.jnl
before starting named. (Yes, the 9.11 file version works for all later versions of BIND 9.)