Update December 2022: added “inline-signing yes;” to the zone statement as BIND 9.16.33, 9.18.7 and newer requires an explicit statement for zones without a configured ‘allow-update’ or ‘update-policy’ (see KB).

BIND 9.16 has improved DNSSEC support to the point where it can (finally) be called simple to use. This is excellent news for DNS administrators because it means there are now several options (viable alternatives being Knot DNS or PowerDNS) which make DNSSEC simple to deploy.

Six years ago we wrote a blog post about BIND 9.9 and its new in-line signing support. This article got a lot of views but at some point we had to put a warning message on the blog post stating vaguely that we would not recommend the method described anymore. The main reason was that DNSSEC with BIND 9.9 still contained many manual steps which could not be configured in named.conf. Especially key roll-overs caused headaches for administrators. If you cannot upgrade to BIND 9.16 the old blog post might still be useful. But in this case, we recommend to omit key roll-overs altogether.

However, now that we have BIND 9.16, you can just make some configuration changes to named.conf and it’s all done. Now let’s take a closer look on how you can enable DNSSEC for your domain name.

OS Setup

We used Debian 10 (aka buster) which comes with BIND 9.11 at the time of writing. We used the BIND9 packages provided by ISC, who offer BIND 9.16 in the “BIND 9 Stable” repository. Please head over to ISC Packages for BIND 9 for instructions on how to use the ISC packages directly.

Once you have added the ISC BIND 9 Stable repository we install bind9, bind9 utils and the bind documentation:

apt-get install bind9 bind9-dnsutils bind9-doc

You have now a running bind9 instance. You can check its running state with systemctl:

systemctl status bind9

Continue reading “DNSSEC signing your domain with BIND 9.16”