Skip to end of metadata
Go to start of metadata

Symptom:

Now (as of 15. July 2010)  the root DNS zone is DNSSEC signed.

Problem:

How to configure BIND DNS Server resolving DNS Server to make use of DNSSEC information and validate DNS queries?

Solution

Requirements:
  • BIND 9.6.2 or better (compiled with RSASHA256 support)
  • the DNS Root Trust Anchor

BIND 9.6.2 (and all 9.6 Version above 9.6.2)

In your BIND named.conf configuration, add the following lines:
 

trusted-keys {
  . 257 3 8 
  "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";

};

options 
  dnssec-validation yes;
};

and restart the BIND DNS Server.

BIND 9.7.x

Starting with BIND 9.7.0, the trusted keys can be managed by RFC 5011 (RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors)
managed-keys {
   "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
}; 
and restart the BIND DNS Server.

Manually verifying the keys

You should never blindly trust cryptographic keys published on websites like this (The editor of the webpage could have made a typo, the server hosting the site may be hacked ...).

To verify the key material, use the sequence below:
dig dnskey . @a.root-servers.net +noall +answer > root-zone-dnssec.key 
This command  will give you the root zones DNSKEY in the file "root-zone-dnssec.key". Compare the key in the file with the key material in your BIND configuration file. It should match.  
dnssec-dsfromkey -2 root-zone-dnssec.key
This command (you need "dnssec-dsfromkey" version 9.6.2 or better) will generate the delegation signer "DS" record for the DNSKEY from the root zone. The DS Record is a hash over the DNSKEY. Compare this DS record with the hash available from the official IANA Website ( http://data.iana.org/root-anchors/ )

The hash you find in the file(s) for the root-anchor on the IANA website must match the DS record data generated from the root-zones DNSKEY.