Table of Contents
The configuration examples given in this document requires BIND
version 9.9 or newer. To check the version of
named you have installed, use the
switch as shown below:
named -vBIND 9.10.1
All versions of BIND 9 since BIND 9.7 can support DNSSEC as currently
deployed in the global DNS. The BIND software you are
running most likely already supports DNSSEC as shipped. Run the command
named -V to see what flags it was built with. If it was
built with OpenSSL (
--with-openssl), then it supports
DNSSEC. Below is an example screenshot of running named
named -VBIND 9.10.1 <id:fe66c6b1> built by make with '--prefix=/opt/local' '--mandir=/opt/local/share/man' '
--with-openssl=/opt/local' '--with-libxml2=/opt/local' '--without-libjson' '--enable-threads' '--enable-ipv6' 'CC=/usr/bin/clang' 'CFLAGS=-pipe -Os -arch x86_64' 'LDFLAGS=-L/opt/local/lib -Wl,-headerpad_max_install_names -arch x86_64' 'CPPFLAGS=-I/opt/local/include' compiled by CLANG 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.40) using OpenSSL version: OpenSSL 1.0.1i 6 Aug 2014 using libxml2 version: 2.9.1
If the BIND 9 software you have does not support DNSSEC, it may be necessary to rebuild it from source or upgrade to a newer version.
If you plan on deploying DNSSEC to your authoritative server, you will need to generate cryptographic keys (the section called “Generate Keys Explained”). The amount of time it takes to generate the keys depends on the source of randomness, or entropy, on your systems. On some systems (especially virtual machines) with insufficient entropy, it may take much longer than one cares to wait to generate keys.
There are software packages, such as haveged for Linux, that provides additional entropy for your system. Once installed, they will significantly reduce the time needed to generate keys.
The more entropy there is, the better pseudo-random numbers you get, and stronger keys are generated. If you want or need high quality random numbers, take a look at the section called “Hardware Security Modules (HSM)” for some of the hardware-based solutions.