Setting up DNSSEC on Bind9

There may be a "better" way to do it, but this is what eventually worked for me. This page will exist as a guide for if I need to re-install bind at any point in the future.

Creating keys

dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
dnssec-keygen -a ECDSAP256SHA256 -fKSK -n ZONE example.com

Signing zone

dnssec-signzone -A -3 $(head -c 2048 /dev/urandom | shasum -a 256 | cut -b 1-16) -N INCREMENT -o example.com -t ../example.com.zone

Next steps


Anton McClure / anton@tloks.com / tloks.com
Last modified: Sat Oct 23 19:16:54 EDT 2021