Based on the instructions from haller.ws
- run
named -v
to check if you have BIND 9.x (or greater) installed
- Download the dns key generation scripts and related files from haller.ws
- Run the
dns-root-key.sh
script and save to output to a txt file. egdns-root-key.sh >> managed-keys.txt
- The script will download the key and verify it for you
- Run the
dlv-key.sh
script and save to output to a txt file. egdlv-key.sh >> trusted-keys.txt
- The script will download the key and verify it for you
- If the script fails for whatever reason (appreantly one of the ISC pgp keys has expired), you can get the DLV key by cURLing
http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf
. eg.curl -s http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf > trusted-keys.txt
. - If you've want to, you can also download the pgp signature from
http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf.asc
and verify the key yourself.
- Updated your
/etc/named.conf
with the following sections
options {
// only listen on local loopback ports
listen-on { 127.0.0.1; };
listen-on-v6 { ::1;};
dnssec-enable yes;
// add these for recursors
dnssec-validation yes;
dnssec-lookaside "."
trust-anchor dlv.isc.org.;
};
// output from dns-root-key.sh
include "managed-keys.txt";
// output from dlv-key.sh
include "trusted-keys.txt";
- Ensure the
trusted-keys.txt
andmanaged-keys.txt
files are in the path or define their full path in the include statememt (for eg.include "/etc/managed-keys.txt";
). - You might need to comment out the line
include "/etc/rndc.key";
if you don't have a rndc key in your/etc
folder. - You will also need to comment out the reference to the rndc.key in the control section.
controls {
// inet 127.0.0.1 port 54 allow {any;}
// keys { "rndc-key"; };
};
- Check if the named plist file exists. It should be at
/System/Library/LaunchDaemons/org.isc.named.plist
- Unload named from launchctl if it has been loaded by something else. eg
launchctl unload org.isc-named
andsudo launchctl unload org.isc-named
. ()This needs to be done with AND without sudo as launchctl has seperate lists of loaded deamons if loaded with and without root access.) - Load the named.plist as a deamon WITH root priviledges using
sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
- Check system.log to see if named threw any errors. eg.
sudo tail -n 20 /var/log/system.log
- Quick test to see if it works using
dig
- Run
dig haller.ws @127.0.0.1 +dnssec
- The header flags should have an
ad
flag set. This indicates "Authentic Data" - RFC4035.
You've a bind9 with DNSSEC running on your machine. You can set your DNS in your network settings to localhost (127.0.0.1) and you'll be relying on secure dns records from now on! Enjoy.