<![CDATA[Howto enable DNSSEC for a domain configured in Bind]]>Hi, I'm running pfSense v2.7.2 with the bind v9.17 package installed.

How can I successfully deploy DNSSEC using the package Bind in pfSense?

I tried to check the enable inline dnssec signing, but there is no DSSET generated in the text box.
The link https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html isn't working also.

c0093d2f-2477-40ac-bce6-23f2fdd25d5b-image.png

Hope someone can point me in the right direction.

Best Regards,
Donald.

]]>https://forum.netgate.com/topic/185550/howto-enable-dnssec-for-a-domain-configured-in-bindRSS for NodeSun, 14 Jun 2026 16:58:56 GMTMon, 15 Jan 2024 10:59:31 GMT60<![CDATA[Reply to Howto enable DNSSEC for a domain configured in Bind on Sat, 25 May 2024 13:19:09 GMT]]>@megapearl said in Howto enable DNSSEC for a domain configured in Bind:

Now finding a way to save the keys in the config xml or write them to a different location to make them persistent upon reboot

Also looking for a way to save my slave zone. After reboot my slave zone is empty, if there is no master. https://forum.netgate.com/topic/188369/slave-zone-in-bind-9-17/3

]]>https://forum.netgate.com/post/1170955https://forum.netgate.com/post/1170955Sat, 25 May 2024 13:19:09 GMT<![CDATA[Reply to Howto enable DNSSEC for a domain configured in Bind on Sat, 25 May 2024 11:37:21 GMT]]>Then SSH in to pfSense and get the DSKEY to add it to parent dns servers:

2.7.2-RELEASE][root@gateway.mydomain.com]/var/etc/named/etc/namedb/keys: dnssec-dsfromkey -2 Kmydomain.com.+019+31296.key
mydomain.com. IN DS 31296 13 2 XXXXC43FFEE8FEA5868B1E81ECXXXX31A1D9183B800A688A6DA664FB62F8XXXX
]]>https://forum.netgate.com/post/1170948https://forum.netgate.com/post/1170948Sat, 25 May 2024 11:37:21 GMT<![CDATA[Reply to Howto enable DNSSEC for a domain configured in Bind on Sat, 25 May 2024 09:37:55 GMT]]>@allxi Hi, thanks.

I have set it up in a different way, but the keys do not persist upon reboot pfSense, maybe the above link can help with that.

I added to services -> bind dns server -> settings -> advanced features -> global settings:

dnssec-policy "mydomain-com-no-rotate" {
    keys {
        ksk key-directory lifetime unlimited algorithm 13;
        zsk key-directory lifetime unlimited algorithm 13;
    };
    nsec3param;
};

Then under zones -> mydomain.com (edit) -> custom_option:

key-directory "/etc/namedb/keys";
dnssec-policy "mydomain-com-no-rotate";
inline-signing yes;

Then under the DNSSEC option:

Inline Signing: Disable
Backup Keys: Disable

Now finding a way to save the keys in the config xml or write them to a different location to make them persistent upon reboot.

The bind package is writing the keys to:

/var/etc/named/etc/namedb/keys

So, maybe the bind9 package in running in a chroot, which I can't change or disable.

]]>https://forum.netgate.com/post/1170943https://forum.netgate.com/post/1170943Sat, 25 May 2024 09:37:55 GMT<![CDATA[Reply to Howto enable DNSSEC for a domain configured in Bind on Sat, 25 May 2024 09:09:29 GMT]]>@megapearl https://forum.netgate.com/topic/177199/problems-with-bind-plugin-9-16_17-9-17-and-dnssec-keys?_=1716628039364 not this?

]]>https://forum.netgate.com/post/1170941https://forum.netgate.com/post/1170941Sat, 25 May 2024 09:09:29 GMT