From MattWiki
noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.


DNSSEC Resource Records

A Resource Record (RR) contains a specific information about the domain. Some common ones are A record which contains the IP address of the domain, AAAA record which holds the IPv6 information, and MX record which has mail servers of a domain. A complete list of DNS RRs can be found on wikipedia.

DNSSEC too requires several RRs.

  • DNSKEY Holds the public key which resolvers use to verify.
  • RRSIG Exists for each RR and contains the digital signature of a record.
  • DS - Delegation Signer – this record exists in the TLD's nameservers. So if example.com was your domain name, the TLD is "com" and its nameservers are a.gtld-servers.net., b.gtld-servers.net. up to m.gtld-servers.net.. The purpose of this record is to verify the authenticity of the DNSKEY itself.

Implementing DNSSEC on an Authoritative BIND DNS Server

Installing needed software

First start by installing the needed software on your main DNS Server.

apt install bind9 haveged

Testing Tools

DNS Tests


Other Resources