Introduction

The DNS Security Extensions, also known as DNSSEC, make it possible verify the authenticity and integrity of data obtained from the domain name system. To enable DNSSEC operation modified resolvers are needed that check data received from DNS servers. On the part of the authoritative name servers no modifications are necessary except for additional DNS records containing the signature data.

Quick How-To

There is an excellent howto available from RIPE at [1].

What You Need

BIND 9.3

For example available in Debian Testing or Unstable. To get it into Debian Stable put the testing-sources into /etc/apt/sources.list, e.g.

 deb http://ftp.de.debian.org/debian etch main

deb http://security.debian.org/ etch/updates main and into /etc/apt/apt.conf:

 APT::Default-Release "3.1*"

You can then install bind 9.3 with

apt-get install bind9/testing libisccc0/testing dnsutils/testing

Key-Management

It's best to generate two keypairs for each zone: a key-signing key (KSK) and a zone-signing key (ZSK).

Key-signing key

The key-signing key will only be used to sign the zone-signing key and will be the key that is transmitted to the parent zone as a designed signer or to the clients as a secure entry-point. If this key is rolled over all those parties will have to be informed.

Zone-signing key

This key is used to actually sign the zone data. If this key is rolled over it will only have to be resigned by the key-signing key with no external notification necessary.

The keys are generated with

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE snug.local

for the zone-signing key and

dnssec-keygen -f KSK -a DSA -b 2048 -n ZONE snug.local

for the key-signing key (where snug.local is the name of the zone).