The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
DNSSEC functionality was added to BIND over time in a series of feature releases. The added functionality progressed from the generation of key pairs and the signing of zone files, through to automation of the signing process and key management. The following table shows which features were added in which versions.
BIND version | Recommended configuration |
---|---|
9.6 | Automation of (re-)signing and key management on basis of scripts and cron jobs, using 'dnssec-keygen' and 'dnssec-signzone' |
9.7-9.8 | Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') Updates by means of Dynamic DNS ('nsupdate -l' and 'rndc sign') Automation of key management on the basis of scripts and cron jobs, using 'dnssec-keygen' and 'dnssec-keygen -S' (smart signing) from version 9.7.2 |
9.9-9.10 | Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') in combination with inline signing ('inline-signing yes') Updates by means of 'rndc signing' Automation of key management on the basis of scripts and cron jobs, using 'dnssec-keygen -S' (smart signing) |
9.11-9.14 | Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') in combination with inline signing ('inline-signing yes') Updates by means of 'rndc signing' Automated key management by means of 'dnssec-keymgr' and policy file /etc/dnssec-policy.conf (and a final cron job) |
9.15 and above | Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') [deprecated in favour of DNSSEC Policy], in combination with inline signing ('inline-signing yes') Updates by means of 'rndc signing' Fully automated key management by means of DNSSEC Policy |
To get your version enter:
# named -v BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
BIND release | Feature | Configuration options and commands |
---|---|---|
9.15-9.16 | DNSSEC Policy | dnssec-policy (in zone-configuration) dnssec-policy keys ksk zsk csk purge-keys publish-safety retire-safety nsec3param signatures-validity signatures-validity-dnskey signatures-refresh zone-max-ttl zone-propagation-delay dnskey-ttl parent-ds-ttl parent-registration-delay parent-propagation-delay parental-agents rndc dnssec -checkds rndc dnssec -status rndc dnssec -rollover |