DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

DNSSEC functionality was added to BIND over time in a series of feature releases. The added functionality progressed from the generation of key pairs and the signing of zone files, through to automation of the signing process and key management. The following table shows which features were added in which versions.

Table 1: Recommended configurations for the various BIND feature releases.
BIND version	Recommended configuration
9.6	Automation of (re-)signing and key management on basis of scripts and cron jobs, using 'dnssec-keygen' and 'dnssec-signzone'
9.7-9.8	Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') Updates by means of Dynamic DNS ('nsupdate -l' and 'rndc sign') Automation of key management on the basis of scripts and cron jobs, using 'dnssec-keygen' and 'dnssec-keygen -S' (smart signing) from version 9.7.2
9.9-9.10	Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') in combination with inline signing ('inline-signing yes') Updates by means of 'rndc signing' Automation of key management on the basis of scripts and cron jobs, using 'dnssec-keygen -S' (smart signing)
9.11-9.14	Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') in combination with inline signing ('inline-signing yes') Updates by means of 'rndc signing' Automated key management by means of 'dnssec-keymgr' and policy file /etc/dnssec-policy.conf (and a final cron job)
9.15 and above	Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') [deprecated in favour of DNSSEC Policy], in combination with inline signing ('inline-signing yes') Updates by means of 'rndc signing' Fully automated key management by means of DNSSEC Policy

To get your version enter:

# named -v
BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>

Table 2: DNSSEC functionality in BIND.
BIND release	Feature	Configuration options and commands
9.15-9.16	DNSSEC Policy	dnssec-policy (in zone-configuration) dnssec-policy keys ksk zsk csk purge-keys publish-safety retire-safety nsec3param signatures-validity signatures-validity-dnskey signatures-refresh zone-max-ttl zone-propagation-delay dnskey-ttl parent-ds-ttl parent-registration-delay parent-propagation-delay parental-agents rndc dnssec -checkds rndc dnssec -status rndc dnssec -rollover

Table 2: DNSSEC functionality in BIND.

BIND release

Feature

Configuration options and commands

9.15-9.16

DNSSEC Policy

dnssec-policy (in zone-configuration)
dnssec-policy
	keys
		ksk
		zsk
		csk
	purge-keys
	publish-safety
	retire-safety
	nsec3param
	signatures-validity
	signatures-validity-dnskey
	signatures-refresh
	zone-max-ttl
	zone-propagation-delay
	dnskey-ttl
	parent-ds-ttl
	parent-registration-delay
	parent-propagation-delay
parental-agents
rndc dnssec -checkds
rndc dnssec -status
rndc dnssec -rollover

Rob's web

DNSSEC

Links