DNSSEC - How to Sign your Zone

The first step to signing a DNS zone is to create the key signing key and the zone signing keys.

dnssec-keygen -f KSK -a RSASHA1 -b 1024 -n ZONE nic.pr
dnssec-keygen -a RSASHA1 -b 1024 -e -n ZONE nic.pr

Onces it finishes will return a line like this for each command:

Knic.pr.+005+56487
Knic.pr.+005+62648

Note that two files are returned for each key created. Include the public key (with the .key extension) in the zone file.

Here is a sample zone file for the nic.pr zone:

@ IN SOA ns1.nic.pr root.nic.pr. (
	2002050501    ; serial number
	100           ; refresh period
	200           ; retry refresh this often
	604800        ; expiration period
	100 )         ; minimum Time To Live (TTL)

@	IN NS   ns.nic.pr.
ns     IN A    192.168.1.1
$include Knic.pr.+005+62648.key    ;zone signing key
$include Knic.pr.+005+56487.key    ;key signing key

With the key included in the zone file, we are ready to sign the zone using the dnssec-signzone tool.

dnssec-signzone -o nic.pr db.nic.pr

The signed zone, db.nic.pr.signed, is the new zone file that should be present in named.conf:

zone "nic.pr" {
     type master;
     file db.nic.pr.signed;
};

Next, we add the following command to the named.conf options statements:

options {
	...
	...	
        dnssec-enable yes;
};

To finish, we restart your nameserver with the following command: /etc/init.d/named restart