DNS Tech Support Training Courses DNSSEC Consulting DNS Monitoring System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools
Chapter 2. Getting Started
Prev DNSSEC Guide Next

DNSSEC Guide : Chapter 2. Getting Started

Table of Contents

Software Requirement
BIND Version
DNSSEC Support in BIND
System Entropy
Hardware Requirement
Recursive Server Hardware
Authoritative Server Hardware
Network Requirements
Operational Requirements
Parent Zone
Security Requirements

Software Requirement

BIND Version

The configuration examples given in this document requires BIND version 9.9 or newer. To check the version of named you have installed, use the -v switch as shown below: 

# named -v
BIND 9.10.1

DNSSEC Support in BIND

All versions of BIND 9 since BIND 9.7 can support DNSSEC as currently deployed in the global DNS. The BIND software you are running most likely already supports DNSSEC as shipped. Run the command named -V to see what flags it was built with. If it was built with OpenSSL (--with-openssl), then it supports DNSSEC. Below is an example screenshot of running named -V: 

$ named -V
BIND 9.10.1 <id:fe66c6b1> built by make with '--prefix=/opt/local'
'--mandir=/opt/local/share/man' '--with-openssl=/opt/local'
'--with-libxml2=/opt/local' '--without-libjson' '--enable-threads'
'--enable-ipv6' 'CC=/usr/bin/clang' 'CFLAGS=-pipe -Os -arch x86_64'
'LDFLAGS=-L/opt/local/lib -Wl,-headerpad_max_install_names -arch x86_64'
'CPPFLAGS=-I/opt/local/include'
compiled by CLANG 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.40)
using OpenSSL version: OpenSSL 1.0.1i 6 Aug 2014
using libxml2 version: 2.9.1

If the BIND 9 software you have does not support DNSSEC, it may be necessary to rebuild it from source or upgrade to a newer version.

System Entropy

If you plan on deploying DNSSEC to your authoritative server, you will need to generate cryptographic keys (the section called “Generate Keys Explained”). The amount of time it takes to generate the keys depends on the source of randomness, or entropy, on your systems. On some systems (especially virtual machines) with insufficient entropy, it may take much longer than one cares to wait to generate keys.

There are software packages, such as haveged for Linux, that provides additional entropy for your system. Once installed, they will significantly reduce the time needed to generate keys.

The more entropy there is, the better pseudo-random numbers you get, and stronger keys are generated. If you want or need high quality random numbers, take a look at the section called “Hardware Security Modules (HSM)” for some of the hardware-based solutions.

Prev Next
How does DNSSEC Change My Job as a DNS Administrator? DNSSEC Guide
Table of Contents
(License)		 Hardware Requirement
Contact Us | About | Site Map |  Gab |  Twitter