DNSSEC Setup

It is usually simple to set up a caching DNS server to support DNSSEC protocol, either at provider or enterprise side. You only need to enable support for this protocol and load a key list to the BIND configuration file.

However, root DNS servers don't support DNSSEC yet. There are some pilot projects such as www.rs.net, which contain signed copies of root domains. Therefore you'll have to separately add the keys of each top-level domain. The following domains do currently support DNSSEC and have their keys: NL, SE, MX, some second-level UK domains, world-popular COM, NET, and ORG domains, and RIPE region backresolve domains.

There's another approach to validate DNS response. The method is named look-aside. Validation runs outside of the domain hierarchy, although any domain's administrator can add information to DLV system. BIND 9 does also support this method.

RU domain currently employs a DNSSEC system similar to VeriSign pilot project, where signed domain is stored on a separate server and listed as a forward domain in the configuration file of your DNS server.

Let us consider the setup procedure of commonly used BIND DNS server You need a BIND server version 9.3 or higher built with SSL support. Add the following code to the bind.conf configuration file:

options {
       dnssec-enable yes;
};

zone "ru." {
      type forward;
         forwarders { 195.24.65.7; };
};

trusted-keys {
   "ru." 257 3 5
   "AQPFTcrI419hTu06QuPs95t9e8rirIvmpNtqLRDKTu28iPv4xbNxKLbE
   uVlsjhfaSPqmqKnNmb7WeexloTCVbJe1jYf8g0c1Crec8TvglLq/PB/J
   CxD3aD2pmlBx6sOCiSXR3VpjvqMUzENl/PajSFpKnPs3dLAwrDrkqwSI
   M/ORZw==";
};

After saving your changes you need to restart named.

Warning: The public key listed in trusted-keys gets changed every year!

If you did everything correct, a DNS test with the dig command should report that ad flag is set upon resolving ns.dnssec.ru domain name:

> dig @127.0.0.1 ns.dnssec.ru +retry=1 +dnssec +multiline

; <<>> DiG 9.3.0beta3 <<>> @127.0.0.1 +retry=1 +dnssec +multiline
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50414
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
                        ^^ this flag (ad) indicates that a secure DNS response has been received.