Docs / DNS & Domains / How to Configure DNSSEC for Your Domain

How to Configure DNSSEC for Your Domain

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 29 views · 3 min read

How to Configure DNSSEC for Your Domain

DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS responses by digitally signing records. This prevents attackers from poisoning DNS caches or performing man-in-the-middle attacks that redirect your visitors to malicious servers. Setting up DNSSEC on your Breeze ensures that DNS responses for your domain can be cryptographically verified.

How DNSSEC Works

DNSSEC uses a chain of trust built on public-key cryptography. Each DNS zone has a key-signing key (KSK) and a zone-signing key (ZSK). The ZSK signs individual DNS records, creating RRSIG records. The KSK signs the DNSKEY record set, and a hash of the KSK (the DS record) is published in the parent zone. Resolvers walk this chain from the root zone down to your domain to verify authenticity.

Prerequisites

  • A Breeze running BIND 9.9+ as an authoritative DNS server
  • Access to your domain registrar to publish DS records
  • A working zone file for your domain

Generating DNSSEC Keys

Generate both the KSK and ZSK for your domain:

# Generate Zone Signing Key (ZSK)
cd /etc/bind/keys
dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com

# Generate Key Signing Key (KSK)
dnssec-keygen -a ECDSAP256SHA256 -n ZONE -f KSK example.com

This creates four files: two .key (public) and two .private files. Move them to a secure directory readable by BIND.

Signing Your Zone

Include the public keys in your zone file and sign it:

# Add key includes to your zone file
$INCLUDE "/etc/bind/keys/Kexample.com.+013+12345.key"
$INCLUDE "/etc/bind/keys/Kexample.com.+013+67890.key"

# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) \
  -N INCREMENT -o example.com -t db.example.com

This produces a signed zone file db.example.com.signed and a dsset-example.com. file containing the DS record.

Updating BIND Configuration

Point BIND to the signed zone file:

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com.signed";
    key-directory "/etc/bind/keys";
    auto-dnssec maintain;
    inline-signing yes;
};

Publishing DS Records

The DS record must be added at your domain registrar. Extract it from the dsset file:

cat dsset-example.com.
# Output: example.com. IN DS 12345 13 2 ABCDEF123456...

Copy the digest type, algorithm, and hash values into your registrar's DNSSEC settings panel. Propagation can take up to 48 hours.

Verifying DNSSEC

  • Use dig +dnssec example.com to check for RRSIG records in the response
  • Look for the ad (authenticated data) flag in the response header
  • Use online tools like DNSViz to visualize your DNSSEC chain of trust
  • Run delv example.com for detailed validation output

Key Rollover

DNSSEC keys should be rotated periodically. ZSK rollovers are simpler since no DS record update is needed at the registrar. KSK rollovers require updating the DS record and should be done using the double-signature method to avoid validation failures during propagation. Automate rollovers with BIND's auto-dnssec maintain directive where possible.

Was this article helpful?

Related Articles