CentosControl PanelCWPHestia CPLinuxUbuntuVesta CP

How to add DNSSEC Records in Bind/Named – Linux/CWP/Centos

In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors.

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

First install haveged to generate keys :

yum install -y haveged
systemctl enable haveged

In below command examples replace “domain.tld” with your domain name

Second Change the Directory to /var/named :

cd /var/named/

Third generate ZSK Key :

dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld

Fourth generate KSK key

dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld

Fifth adding keys to domain zone file

cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db

Sixth sign the zone file :

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db

Seventh edit named configuration file /etc/named.conf and add this line

dnssec-lookaside auto;

** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it

Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld


// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Centos/el/RHEL Reload/Restart the named service :

service named reload
systemctl reload named

and you’re done.

Sandeep B.

I'm a system admin and php developer and currently working as System Admin In CWP Control panel, expertise in Linux and Windows administration RHEL certified admin.

Related Articles


  1. If I have a DNS cluster with DNS Slave manager and additional Slave 2 DNS servers, just like referenced here:
    Do I then only have to add dnssec-lookaside auto; into /etc/named.conf, or do I have to install per your description everything in this article on all Slave 2 DNS Servers?

    With only doing what you mentioned in your article, and implementing for one domain.tld on a web server, I can see on the Slave 2 DNS server the /var/named/slave/db.domain.tld is updated to DNSSEC.
    Should I still follow instructions on top on DNS servers, or it’s ready to go as is? Only web servers need to run the installation for DNSSEC per each domain that needs DNSSEC?
    Thanks for all your documentation!

    1. I did NOT copy the key/private files to my slave DNS server. I turned on the dnssec-enabled & dnssec-validation & dnssec-lookaside configuration in my slave DNS server…. DNSSEC appears to be enabled successfully on my servers so I suppose this is the correct configuration, but I’m not sure 🙁 I wish to know the answer to your question as well. Can anyone answer this? In the meantime, you can verify your DNSSEC at this tool: https://dnssec-debugger.verisignlabs.com/ and http://dnsviz.net/d/

  2. [root@scwp01 ~]# cd /var/named/
    [root@serv001 named]# dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom mysterydata.com
    Generating key pair……………+++++ ……………….+++++
    [root@scwp01 named]# dnssec-keygen -r /dev/urandom -f KSK -a RSASHA256 -b 4096 mysterydata.com
    Generating key pair………………………………………………………………………………………………………………++++ ….++++
    [root@scwp01 named]# cat Kmysterydata.com.+008+*.key >> /var/named/mysterydata.com
    [root@scwp01 named]# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o mysterydata.com -t mysterydata.com
    dnssec-signzone: warning: mysterydata.com:5: no TTL specified; zone rejected
    dnssec-signzone: fatal: failed loading zone from ‘mysterydata.com’: no ttl
    [root@scwp01 named]#

  3. private keys müssen mit nach /var/named/ kopiert werden ansonsten erhält man den Fehler: DNSKEY is not signed (keys offline or inactive?)

  4. Hello SANDEEP, there is a possibility to implement this on Rocky-Linux or CentOS 8, because there are several error messages and BIND cannot be restarted afterwards

    1. Hello, i didn’t understand what you meant here “several error messages and BIND cannot be restarted afterwards” ? any error message ?

      this tutorial works fine in el7 and el8

  5. Hi, thanks for the tutorial.
    Does this only works if i use CWP as my DNS / Zone Manager?
    I use my Domain Registrar site to manage DNS and add the entries there because i don’t wanna open 53 on my server.

    Will this still work and i can add the new entries on my Registrars site?


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button