BIND (is there anyting else?)


dnssec-keygen -a 7 -b 2048 -n ZONE
dnssec-keygen -f KSK -a 8 -b 4096 -n ZONE

copy generated files in /etc/bind/keys.

if you put your keys in /etc/bind/keys do not forget about permissions and apparmor!

put this in zone

inline-signing yes;
auto-dnssec maintain;
key-directory "/etc/bind/keys/";
sig-validity-interval 3;  // default is 30D

use dnssec-dsfromkey to create DS DNS records from KSK files.

To enable add to bind.named.options:

dnssec-validation auto;
dnssec-enable yes;
dnssec-lookaside auto;

Add DS records at your domain registrar!

check your domain with

logging {

      category dnssec { null;};};\\

Letting bind/named query a specific DNS server for only one specific domain

Add to the file /etc/bind/named.conf.local:

zone "" {
	type forward;
	forward only;
	forwarders {;; };

Of course you need to replace '' as well as the 2 ip addresses in the 'forwarders'-line.


host -t txt -c CHAOS version.bind localhost

named - options {version “DNS daemon”;};

host -t txt -c CHAOS hostname.bind localhost


audit dns

kernel: audit(1209076817.081:16): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/" pid=16561 profile="/usr/sbin/named" namespace="default"

So I had a look in: /etc/apparmor.d/usr.sbin.named

and changed this line:

/etc/bind/** r,

to this:

/etc/bind/** rw,

Fixing syntax highlighting in VIM


" BIND zone
au BufNewFile,BufRead */named/db.*,*/bind/master/*,*/bind/slave/*,*/bind/arpa/* call s:StarSetf('bindzone')
" BIND configuration
au BufNewFile,BufRead named.conf,rndc.conf,arpa.conf,named*,master.conf,slave.conf      setf named
linux/bind.txt · Last modified: 2015/08/12 14:46 by zagi
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready