Contents x
DNSSEC Validation the Easy Way
  • 22 Jul 2021
  • 1 Minute to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Contents

DNSSEC Validation the Easy Way

  • Updated on 22 Jul 2021
  • 1 Minute to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Article Summary

Problem:

You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest.

Solution:

ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the root zone KSK (key signing key). To activate validation using this trust anchor requires only one non-default setting in your named.conf options statement:

options { ... dnssec-validation auto; ... };

With that added, rndc reconfig and you are done.

Note when using multiple views
The dnssec-validation auto; option may also be set per view, where a view is providing recursive service. When sharing a cache among views with attach-cache, the option must be the same for all affected views.
How do I override the built-in trust anchor?
Simply download this file: https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11. Save it as your bindkeys-file (default path/filename is "/etc/bind.keys"). If you have an incorrect or outdated managed-keys database in your named working directory (or as changed with the managed-keys-directory option), delete the files called managed-keys.bind and managed-keys.bind.jnl before starting named. (Yes, the 9.11 file version works for all later versions of BIND 9.)
What's Next

Cookie consent

We use our own and third-party cookies to understand how you interact with our Knowledgebase. This helps us show you more relevant content and ads based on your browsing and navigation history.