Last updated: 2026-02-11
BIND DNSSEC Configuration Guide
This guide provides recommended DNSSEC settings for BIND (Berkeley Internet Name Domain). DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with. This guide covers both authoritative zone signing and resolver-side validation.
Prerequisites
- BIND 9.16 or later (for
dnssec-policyinline signing support) bind-dnssec-utilsor equivalent package fordnssec-keygen,dnssec-dspub- Access to the parent zone registrar to publish DS records
DNSSEC Overview
DNSSEC uses a chain of trust from the DNS root to your zone:
- ZSK (Zone Signing Key) -- Signs individual DNS records in the zone
- KSK (Key Signing Key) -- Signs the DNSKEY RRset and is referenced by the parent zone's DS record
- DS Record -- Published in the parent zone, linking the parent's chain of trust to your KSK
- RRSIG -- Cryptographic signatures over each RRset
- NSEC/NSEC3 -- Authenticated denial of existence
Authoritative Server Configuration
Using dnssec-policy (Recommended)
BIND 9.16+ supports dnssec-policy for fully automated key generation, signing, and rollover:
dnssec-policy "standard" {
keys {
ksk key-directory lifetime unlimited algorithm ecdsap256sha256;
zsk key-directory lifetime P90D algorithm ecdsap256sha256;
};
dnskey-ttl 3600;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P90D;
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
max-zone-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 3600;
parent-propagation-delay PT1H;
nsec3param iterations 0 optout no salt-length 0;
};
Apply the policy to a zone:
zone "example.com" {
type primary;
file "/var/named/example.com.zone";
dnssec-policy "standard";
inline-signing yes;
key-directory "/var/named/keys";
};
Algorithm Selection
Use ECDSAP256SHA256 (algorithm 13) for new deployments. It provides strong security with small key and signature sizes:
| Algorithm | ID | Recommendation | |---|---|---| | RSASHA256 | 8 | Acceptable (use 2048-bit minimum) | | RSASHA512 | 10 | Acceptable | | ECDSAP256SHA256 | 13 | Recommended | | ECDSAP384SHA384 | 14 | Acceptable | | ED25519 | 15 | Good (limited resolver support) |
Automatic Key Rollover
The dnssec-policy handles key rollover automatically based on the configured lifetimes. The ZSK lifetime of P90D (90 days) triggers automatic ZSK rollovers. The KSK lifetime of unlimited means KSK rollovers must be initiated manually.
Monitor key states:
rndc dnssec -status example.com
Manual Key Generation
If not using dnssec-policy, generate keys manually:
# Generate KSK
dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com
# Generate ZSK
dnssec-keygen -a ECDSAP256SHA256 example.com
Include the keys in your zone file:
$INCLUDE Kexample.com.+013+12345.key
$INCLUDE Kexample.com.+013+67890.key
Sign the zone:
dnssec-signzone -A -3 $(head -c 16 /dev/urandom | od -A n -t x1 | tr -d ' \n') \
-N INCREMENT -o example.com -t example.com.zone
DS Record Publication
After signing your zone, extract the DS record and publish it at your registrar or parent zone:
dnssec-dsfromkey /var/named/keys/Kexample.com.+013+12345.key
This outputs DS records in multiple digest formats:
example.com. IN DS 12345 13 2 ABCDEF1234567890...
Publish the SHA-256 (digest type 2) DS record with your domain registrar.
Resolver Configuration (DNSSEC Validation)
Configure BIND as a validating resolver:
options {
directory "/var/named";
// Enable DNSSEC validation
dnssec-validation auto;
// Use the built-in root trust anchors
// (managed-keys-directory for RFC 5011 auto-updates)
managed-keys-directory "/var/named/dynamic";
bindkeys-file "/etc/named.root.key";
recursion yes;
allow-recursion { localnets; localhost; };
};
The dnssec-validation auto; setting uses the built-in root zone trust anchor and automatically validates DNSSEC-signed zones.
Trust Anchors
BIND ships with the root zone trust anchor. For custom trust anchors:
trust-anchors {
example.com. initial-key 257 3 13 "base64-encoded-key-data";
};
Complete Configuration
Authoritative Server
// /etc/named.conf
options {
directory "/var/named";
listen-on { any; };
listen-on-v6 { any; };
allow-transfer { none; };
allow-query { any; };
recursion no;
// Key directory for DNSSEC keys
key-directory "/var/named/keys";
};
// DNSSEC signing policy
dnssec-policy "standard" {
keys {
ksk key-directory lifetime unlimited algorithm ecdsap256sha256;
zsk key-directory lifetime P90D algorithm ecdsap256sha256;
};
dnskey-ttl 3600;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P90D;
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
max-zone-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 3600;
parent-propagation-delay PT1H;
nsec3param iterations 0 optout no salt-length 0;
};
// Signed zone
zone "example.com" {
type primary;
file "/var/named/example.com.zone";
dnssec-policy "standard";
inline-signing yes;
key-directory "/var/named/keys";
};
Validating Resolver
// /etc/named.conf (resolver)
options {
directory "/var/named";
listen-on { 127.0.0.1; 10.0.0.1; };
recursion yes;
allow-recursion { localnets; localhost; };
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";
bindkeys-file "/etc/named.root.key";
// Rate limiting
rate-limit {
responses-per-second 10;
};
// Minimal responses
minimal-responses yes;
};
zone "." {
type hint;
file "named.ca";
};
Verification
Check that a zone is signed:
dig @localhost example.com DNSKEY +dnssec +multiline
Verify RRSIG records exist:
dig @localhost example.com A +dnssec
Look for the ad (Authenticated Data) flag in responses:
dig @resolver example.com A +dnssec
Use delv for detailed DNSSEC validation:
delv @localhost example.com A +rtrace
Verify the DS record matches:
dig example.com DS +short
Check DNSSEC chain of trust:
drill -S example.com
Check the DNSSEC signing status in BIND:
rndc dnssec -status example.com
rndc zonestatus example.com