Skip to content

Instantly share code, notes, and snippets.

@deadmann

deadmann/Bind9-DNSSEC-Chat.md

Created September 21, 2023 20:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save deadmann/51699b95868fc3d7773ac7757df19a77 to your computer and use it in GitHub Desktop.
Save deadmann/51699b95868fc3d7773ac7757df19a77 to your computer and use it in GitHub Desktop.
Download ZIP
Bind9 DNSSEC - Creating key, so allowing better integration between Microsoft DNS Server 2016 as Primary and Bind9 as Secondary
Raw
Bind9-DNSSEC-Chat.md

If you have DNSSEC enabled and configured on your primary DNS server, it's a good practice to also configure DNSSEC on your secondary DNS server. DNSSEC helps to ensure the authenticity and integrity of DNS data, and having it enabled on both servers is a security best practice.

To configure DNSSEC on your secondary DNS server, you'll need to perform the following steps:

Install DNSSEC Tools (if not already installed): Ensure that DNSSEC tools are installed on your secondary DNS server. The specific package names might vary depending on your Linux distribution, but commonly used tools are part of the "dnssec-tools" package. You can typically install it using your package manager. For example, on Ubuntu:

sudo apt-get install dnssec-tools

Generate DNSSEC Keys (if not already generated): You'll need to generate DNSSEC keys for each signed zone. Use the "dnssec-keygen" command to generate the keys. For example:

dnssec-keygen -a RSASHA256 -b 2048 -n ZONE ashiane.house

This command will generate a key pair for the "ashiane.house" zone. You'll get two files: a private key (Kashiane.house.++.private) and a public key (Kashiane.house.++.key).

Configure Zone Signing: Add DNSSEC-related configuration to your zone configuration file for the "ashiane.house" zone on your secondary DNS server. You'll need to specify the DNSSEC keys and related parameters. Here's an example of what your zone configuration could look like with DNSSEC:

zone "ashiane.house" IN {
    type slave;
    file "/var/cache/bind/forward.ashiane.house.db";
    masters { 176.9.167.206; };
    key-directory "/etc/bind/keys";  // Directory where your DNSSEC keys are stored
    auto-dnssec maintain;
    inline-signing yes;
};

Make sure to replace "/etc/bind/keys" with the actual directory where your DNSSEC keys are stored.

Reload Bind: After configuring DNSSEC for the zone, reload or restart your Bind9 service to apply the changes:

sudo systemctl reload bind9

Verify DNSSEC Configuration: You can use DNSSEC validation tools to verify that your DNSSEC configuration is correct. Tools like "dnssec-verify" can help you check the signatures and keys.

By following these steps, you should have DNSSEC enabled on your secondary DNS server for the "ashiane.house" zone. Repeat the process for any other DNSSEC-signed zones you have on your primary server. This ensures that both your primary and secondary servers are DNSSEC-aware and can provide secure DNS resolution for your zones.

@deadmann
Copy link
Author

deadmann commented Oct 14, 2023
edited

Diagnosis

can you try to reset the failed counter with the following command:

systemctl reset-failed bind9

After that may try to stop the service:

systemctl stop bind9

After that check if all services are stopped and no process is running:

systemctl status bind9
ps aux | grep named

If everything is stopped and not running try to start bind9:

systemctl start bind9

If this still fails check if there are any more errors during startup:

journalctl -u bind9 --since "1 hour ago"

We can also check the server and help you if you provide us the login credentials.

NOTE: instead of bind9 please try again with the service name named. bind9 seems to be the alias for named.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment