DNSSEC (RFC 4033, 6014 and 6840) is a great step towards global security on the Internet. Unfortunately, it has a huge practical drawback: you need to renew your zones signature every month or your domain won’t resolve anymore (it used to happen to me every month).

Even though the best practice advices to sign your zone manually, Bind 9.9 brings the awesome inline signing, which allows to load or transfer an unsigned zone and create a signed version of it which answers all queries and transfer requests, without altering the original unsigned version. In other words, this means you won’t have to worry about your zone signature expiring anymore. As good news always come by pair, FreeBSD 10 now provides Bind 9.9, which means nothing prevents you from implementing DNSSEC anymore.

If you’re not using FreeBSD yet, please switch. It’s cool and you won’t have to fear systemd, journald, pulseaudio or anything coming from Lennart twisted mind anymore.

First, install Bind 9.9. As you’re running FreeBSD 10, I assume you’re also using the wonderful pkg. If not, do so, or God will kill a unicorn. The fact most people still use ports or pkg_add is the main reason why there are so few unicorns left today.

$ sudo pkg install dns/bind99

Bind configuration is installed in /usr/local/etc/namedb/, which is where we’re going to work from.

Create a master zone file for your domain name. Let’s say we’ve just acquired pon.ey from the Ekraysia Internet Information Centre and want to configure it. Create a master/pon.ey.db file:

$TTL    3600
@       IN      SOA     ns1.pon.ey. root.pon.ey. (
                        2014072202; Serial
                        3600            ; Refresh
                        86400           ; Retry
                        2419200         ; Expire
                        604800 )        ; Negative Cache TTL
@       IN      NS      ns1.pon.ey.
@       IN      NS      ns6.gandi.net.
@       IN      A
@       IN      AAAA    2001:bc8:3342::1
        IN      MX  10  we.eat.pon.ey.
        IN      MX  20  new.dagobah.fv.gs.
ns1     IN      A
ns1     IN      AAAA    2001:bc8:3342::1
we.eat  IN      A
we.eat  IN      AAAA    2001:bc8:3342::1

Edit named.conf and activate DNSSEC inside the section options { }.

dnssec-enable yes;

Create a /usr/local/etc/namedb/keys directory to store all your keys. Go into the keys directory, and generate 2 keys:

The first one is a Zone Signing Key(ZSK):

dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE pon.ey

The second one is a Key Signing Key(KSK):

dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE pon.ey

Append your newly generated keys to your zone configuration file:

for file in $(ls Kpon.ey*.key); do
  echo "\$INCLUDE /usr/local/etc/namedb/keys/${file}" >> ../master/pon.ey.db

Go back to Bind configuration directory, and edit the named.conf file to add your new zone:

zone "pon.ey" {
  type master;
  file "/usr/local/etc/namedb/master/pon.ey.db";
  allow-transfer {; };
  auto-dnssec maintain;
  inline-signing yes;

That’s where the magic happens. Reload your Bind configuration, and hurray, auto maintained signed zones for the win.

Perry the Platypus wants you to subscribe now! Even if you don't visit my site on a regular basis, you can get the latest posts delivered to you for free via Email: