Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Howto enable DNSSEC for a domain configured in Bind

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 662 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      megapearl
      last edited by

      Hi, I'm running pfSense v2.7.2 with the bind v9.17 package installed.

      How can I successfully deploy DNSSEC using the package Bind in pfSense?

      I tried to check the enable inline dnssec signing, but there is no DSSET generated in the text box.
      The link https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html isn't working also.

      c0093d2f-2477-40ac-bce6-23f2fdd25d5b-image.png

      Hope someone can point me in the right direction.

      Best Regards,
      Donald.

      A 1 Reply Last reply Reply Quote 0
      • A
        allxi @megapearl
        last edited by

        @megapearl https://forum.netgate.com/topic/177199/problems-with-bind-plugin-9-16_17-9-17-and-dnssec-keys?_=1716628039364 not this?

        M 1 Reply Last reply Reply Quote 0
        • M
          megapearl @allxi
          last edited by megapearl

          @allxi Hi, thanks.

          I have set it up in a different way, but the keys do not persist upon reboot pfSense, maybe the above link can help with that.

          I added to services -> bind dns server -> settings -> advanced features -> global settings:

          dnssec-policy "mydomain-com-no-rotate" {
    keys {
        ksk key-directory lifetime unlimited algorithm 13;
        zsk key-directory lifetime unlimited algorithm 13;
    };
    nsec3param;
};

          Then under zones -> mydomain.com (edit) -> custom_option:

          key-directory "/etc/namedb/keys";
dnssec-policy "mydomain-com-no-rotate";
inline-signing yes;

          Then under the DNSSEC option:

          Inline Signing: Disable
Backup Keys: Disable

          Now finding a way to save the keys in the config xml or write them to a different location to make them persistent upon reboot.

          The bind package is writing the keys to:

          /var/etc/named/etc/namedb/keys

          So, maybe the bind9 package in running in a chroot, which I can't change or disable.

          A 1 Reply Last reply Reply Quote 0
          • M
            megapearl
            last edited by megapearl

            Then SSH in to pfSense and get the DSKEY to add it to parent dns servers:

            2.7.2-RELEASE][root@gateway.mydomain.com]/var/etc/named/etc/namedb/keys: dnssec-dsfromkey -2 Kmydomain.com.+019+31296.key
mydomain.com. IN DS 31296 13 2 XXXXC43FFEE8FEA5868B1E81ECXXXX31A1D9183B800A688A6DA664FB62F8XXXX
            1 Reply Last reply Reply Quote 0
            • A
              allxi @megapearl
              last edited by

              @megapearl said in Howto enable DNSSEC for a domain configured in Bind:

              Now finding a way to save the keys in the config xml or write them to a different location to make them persistent upon reboot

              Also looking for a way to save my slave zone. After reboot my slave zone is empty, if there is no master. https://forum.netgate.com/topic/188369/slave-zone-in-bind-9-17/3

              1 Reply Last reply Reply Quote 0
              • penguinpagesP penguinpages referenced this topic
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.