Rob's web

DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

DNSSEC functionality was added to BIND over time in a series of feature releases. The added functionality progressed from the generation of key pairs and the signing of zone files, through to automation of the signing process and key management. The following table shows which features were added in which versions.

Table 1: Recommended configurations for the various BIND feature releases.
BIND versionRecommended configuration
9.6Automation of (re-)signing and key management on basis of scripts and cron jobs, using 'dnssec-keygen' and 'dnssec-signzone'
9.7-9.8Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain')
Updates by means of Dynamic DNS ('nsupdate -l' and 'rndc sign')
Automation of key management on the basis of scripts and cron jobs, using 'dnssec-keygen' and 'dnssec-keygen -S' (smart signing) from version 9.7.2
9.9-9.10Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') in combination with inline signing ('inline-signing yes')
Updates by means of 'rndc signing'
Automation of key management on the basis of scripts and cron jobs, using 'dnssec-keygen -S' (smart signing)
9.11-9.14Automated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') in combination with inline signing ('inline-signing yes')
Updates by means of 'rndc signing'
Automated key management by means of 'dnssec-keymgr' and policy file /etc/dnssec-policy.conf (and a final cron job)
9.15 and aboveAutomated (re-)signing by means of Auto-DNSSEC ('auto-dnssec maintain') [deprecated in favour of DNSSEC Policy], in combination with inline signing ('inline-signing yes')
Updates by means of 'rndc signing'
Fully automated key management by means of DNSSEC Policy

To get your version enter:

# named -v
BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
Table 2: DNSSEC functionality in BIND.
BIND releaseFeatureConfiguration options and commands
9.15-9.16DNSSEC Policy
dnssec-policy (in zone-configuration)
dnssec-policy
	keys
		ksk
		zsk
		csk
	purge-keys
	publish-safety
	retire-safety
	nsec3param
	signatures-validity
	signatures-validity-dnskey
	signatures-refresh
	zone-max-ttl
	zone-propagation-delay
	dnskey-ttl
	parent-ds-ttl
	parent-registration-delay
	parent-propagation-delay
parental-agents
rndc dnssec -checkds
rndc dnssec -status
rndc dnssec -rollover

Links