One page howto for signing your DNS zone with DNSSEC *** ON YOUR SERVER *** 1. Change to the directory where the zone resides, normally First, verify that DNSSEC is enabled in named.conf dnssec-enable yes; Then go to where your zone is: # cd /etc/namedb/master ... there you should find the zone. If you do not have one, you can create one: # cp empty.db myzone.menog 2. Generate first key pair (Zone Signing Key) # dnssec-keygen -a RSASHA1 -b 1024 -n ZONE myzone.menog Kmyzone.+005+51333 3. Generate second key pair (Key Signing Key) # dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE myzone.menog Kmyzone.+005+52159 4. Let's look at the keys: # ls -l Kmyzone.menog.* -rw-r--r-- 1 root wheel 203 Feb 15 00:07 Kmyzone.menog.+005+51333.key -rw------- 1 root wheel 937 Feb 15 00:07 Kmyzone.menog.+005+51333.private -rw-r--r-- 1 root wheel 247 Feb 15 00:07 Kmyzone.menog.+005+52159.key -rw------- 1 root wheel 1125 Feb 15 00:07 Kmyzone.menog.+005+52159.private 4. Add the public keys to the end of the zone file: # vi myzone.meynog ; Keys to be published in DNSKEY RRset - these are the PUBLIC keys!!! $include "Kmyzone.menog.+005+51333.key" ; ZSK $include "Kmyzone.menog.+005+52159.key" ; KSK ^D 5. Sign the zone with the keys # cd /etc/namedb/master # dnssec-signzone -g -o myzone.menog -k Kmyzone.menog.+005+52159 myzone.menog Kmyzone.+005+51333 The program will output: myzone.menog.signed # ls -l myzone.menog.* -rw-r--r-- 1 root wheel 292 Feb 15 00:08 myzone.menog -rw-r--r-- 1 root wheel 4294 Feb 15 00:20 myzone.menog.signed 6. At the end of /etc/namedb/named.conf, check that the zone is defined: zone "myzone.menog" { type master; file "master/myzone.menog.signed"; // change to the ".signed" copy! }; 7. Reconfigure/restart your nameserver 8. Upload the dsset for your zone (containing the hash of your zone) to the AUTH: # scp dsset-myzone.menog. dnssec@10.10.1.203: The password is 'dnssec' ! 9. Tell the instructor you have done so! *** ON THE RESOLVER (performed by the intstructor) *** The instructor will setup the AUTH to include your keys 10. Grab the root key # scp dnssec@10.10.1.203:rootkey /etc/namedb/rootkey # cat rootkey >> /etc/namedb/named.conf # check that validation is on on in named.conf: options { ... dnssec-validation yes; ... }; Make sure that "severity debug 3;" is in the dnssec channel definition: logging { ... channel dnssec { file "log/dnssec"; severity debug 3; }; ... }; Restart named # /etc/rc.d/named restart CHECK that named is running 11. dig @localhost +dnssec arabic.menog. soa