DNS Hosting Security | Set Up DNSSEC

September 2015

The Internet wouldn’t be as much fun if we had to remember IP addresses to find content. That’s where the Domain Name System comes in, to connect domain names with the IP that hosts the content. But DNS has one big problem: security.

DNSSEC security

The recent introduction of DNSSEC helps to prevent attacks through your IP. DNSSEC stands for the Domain Name System Security Extensions. It is a set of security specifications that help prevent DNS spoofing on the client level by authenticating nameservers between a zone file and the registry level with a public and private key.

DNS spoofing or DNS cache poisoning are the most common attacks, which basically force incoming traffic to blindly go to another IP where there is usually malicious content downloaded onto visitors computers.

If you’re working with a domain registrar*, if they support it, they can implement DNSSEC internally. If you own a separate dedicated server for DNS (or a name server), you can do it yourself.

  • Find out how using a name server reduces resources used by a high traffic site

How does DNSSEC protect my site?

DNSSEC protects DNS data by digitally signing records using public key cryptography. Domain owners can work with their domain registrar to set DNSSEC public keys at the root zone of the domain registry. The lookup process works as follows:

  • First, the resolver (which is configured to follow DNSSEC) notices the “DO” flag bit in the DNS query
  • The resolver then verifies the DS and DNSKEY records at the root zone
  • Using the DS records for the top level domain found at the root zone, it verifies the DNSKEY records in that zone
  • It then checks for a DS record for the domain in the TLD zone
  • If it exists, the resolver uses the DS record to verify a DNSKEY record found in the domain’s zone file
  • Finally, it would verify the RRSIG record found in the A records of the DNS zone file

How do I install DNSSEC?

You can follow these steps to install DNSSEC on CentOS. Instructions vary based on your Linux distribution.

Step 1: Modify the named configuration options.

vi /etc/bind/named.conf.options

Set the following in options:

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

Step 2: Navigate to your zone files.

cd /var/cache/bind

Step 3: Create a Zone Signing Key.

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com

Step 4: Create a Key Signing Key

dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com

The directory will now have 4 keys – private/public pairs of ZSK and KSK.

Step 5: Add the public keys to the zone file using the following for loop:

for key in `ls Kexample.com*.key`


echo “\$INCLUDE $key”>> example.com.zone


Step 6: Sign the zone, replacing salt with something random.

dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>

This creates a new file named example.com.zone.signed which contains RRSIG records for each DNS record.

Step 7: Load the signed zone.

nano /etc/bind/named.conf.local

Change the file option inside the zone { } section.

zone “example.com” IN {

type master;

file “example.com.zone.signed”;

allow-transfer {; };

allow-update { none; };


Step 8: Save the file and reload bind

service bind9 reload

Step 9: Add the DS records at your domain registrar.

A file named dsset-example.com was created earlier in this process. This file contains the DS records which you can take to your domain registrar.

Test Your Work for DNS Security

You can use the tool here to test that your DNSSEC is configured properly on your domain. DNSSEC is a fairly new tool but implementing it can make a huge difference in your dedicated server security.

*Only some domain registrar’s support “end user DNSSEC management, including entry of DS records” according to ICANN.