• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Howto enable DNSSEC for a domain configured in Bind

Scheduled Pinned Locked Moved pfSense Packages
5 Posts 2 Posters 645 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    megapearl
    last edited by Jan 15, 2024, 10:59 AM

    Hi, I'm running pfSense v2.7.2 with the bind v9.17 package installed.

    How can I successfully deploy DNSSEC using the package Bind in pfSense?

    I tried to check the enable inline dnssec signing, but there is no DSSET generated in the text box.
    The link https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html isn't working also.

    c0093d2f-2477-40ac-bce6-23f2fdd25d5b-image.png

    Hope someone can point me in the right direction.

    Best Regards,
    Donald.

    A 1 Reply Last reply May 25, 2024, 9:09 AM Reply Quote 0
    • A
      allxi @megapearl
      last edited by May 25, 2024, 9:09 AM

      @megapearl https://forum.netgate.com/topic/177199/problems-with-bind-plugin-9-16_17-9-17-and-dnssec-keys?_=1716628039364 not this?

      M 1 Reply Last reply May 25, 2024, 9:24 AM Reply Quote 0
      • M
        megapearl @allxi
        last edited by megapearl May 25, 2024, 9:37 AM May 25, 2024, 9:24 AM

        @allxi Hi, thanks.

        I have set it up in a different way, but the keys do not persist upon reboot pfSense, maybe the above link can help with that.

        I added to services -> bind dns server -> settings -> advanced features -> global settings:

        dnssec-policy "mydomain-com-no-rotate" {
    keys {
        ksk key-directory lifetime unlimited algorithm 13;
        zsk key-directory lifetime unlimited algorithm 13;
    };
    nsec3param;
};

        Then under zones -> mydomain.com (edit) -> custom_option:

        key-directory "/etc/namedb/keys";
dnssec-policy "mydomain-com-no-rotate";
inline-signing yes;

        Then under the DNSSEC option:

        Inline Signing: Disable
Backup Keys: Disable

        Now finding a way to save the keys in the config xml or write them to a different location to make them persistent upon reboot.

        The bind package is writing the keys to:

        /var/etc/named/etc/namedb/keys

        So, maybe the bind9 package in running in a chroot, which I can't change or disable.

        A 1 Reply Last reply May 25, 2024, 1:19 PM Reply Quote 0
        • M
          megapearl
          last edited by megapearl May 25, 2024, 11:37 AM May 25, 2024, 11:36 AM

          Then SSH in to pfSense and get the DSKEY to add it to parent dns servers:

          2.7.2-RELEASE][root@gateway.mydomain.com]/var/etc/named/etc/namedb/keys: dnssec-dsfromkey -2 Kmydomain.com.+019+31296.key
mydomain.com. IN DS 31296 13 2 XXXXC43FFEE8FEA5868B1E81ECXXXX31A1D9183B800A688A6DA664FB62F8XXXX
          1 Reply Last reply Reply Quote 0
          • A
            allxi @megapearl
            last edited by May 25, 2024, 1:19 PM

            @megapearl said in Howto enable DNSSEC for a domain configured in Bind:

            Now finding a way to save the keys in the config xml or write them to a different location to make them persistent upon reboot

            Also looking for a way to save my slave zone. After reboot my slave zone is empty, if there is no master. https://forum.netgate.com/topic/188369/slave-zone-in-bind-9-17/3

            1 Reply Last reply Reply Quote 0
            • P penguinpages referenced this topic 5 days ago
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received