opennic:dnssec

DNSSEC Validation

DNSSEC is a mechanism that prevents DNS forgeries that could potentially redirect you or your Tier 2 users to malicious sites.

Tier 2 Configuration

FIXME We're looking for guides for other DNS software, contributions welcome!

Tier 2 providers may enable DNSSEC validation by following the guide(s) below, corresponding to their DNS software. Please note that in each case, the keys need to be manually defined in your configuration, and will need to be updated each time the root key changes. Servers providing this service will need to stay up-to-date on the mailing list to ensure they remain in service.

BIND9

The file paths in this guide are the defaults on many systems including Ubuntu and Debian, but may need to be modified to suit your configuration.

1. Create the file /etc/bind/named.conf.keys with the following content:

named.conf.keys
trust-anchors {
  . initial-key 257 3 8 "AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp
    WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP
    uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575
    I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ+
    Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO
    0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO
    6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4
    tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9
    PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS
    M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa
    BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi
    ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ
    /l8ThKc57bGYy9TX";

};
:!: Don't just blindly copy this wiki page, ensure the key matches the current root zone's DNSKEY:

dig DNSKEY . @195.201.99.61 +short


256 3 8 AwEAAeXw6/FhGTrrrowgiK/4mWwP76JM/Np6FwHmQ+Qn73wdOWT0d189 gkNeVNTVyQNU+q+MBnJ01OFbgQqsey6pd2OjAD5i8pDqZz/0zS7z70Uv eScfqLv08n8qoZOsv7QhytVE9qGqfXgeeGPUctOeqfdlJN/NXnU7crBT 6AxLg1FChV1m3dOcJwCW72XPi/Mbo9dsJSgbWZmVGCILBEQjVa13K4lt roHibq/1kUvmei0TLpzDpwu9OG3m50tAa+JTyId2vqopbCqEk2rQspQ/ TbewkG2jF7TRvDZbRje8Z2eA2HLW3ClrlIFBcyv/0NqrFH9CJCR2g2Mu a77etVdrgUE=
257 3 8 AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ+ Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ /l8ThKc57bGYy9TX

2. Add dnssec-validation yes; to /etc/bind/named.conf.options, replacing dnssec-validation auto; if it already exists: 

options {
        directory "/var/cache/bind";
        dnssec-validation yes;
        notify yes;
        recursion yes;
        allow-query { any; };
        allow-transfer { any; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

3. Add the line include “/etc/bind/named.conf.keys”; to /etc/bind/named.conf above all other include lines. Your final named.conf file should look something like this: 

include "/etc/bind/named.conf.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.opennic";

4. Restart BIND: systemctl restart bind9

PowerDNS Recursor

Create /etc/powerdns/config.lua with the following content:

config.lua
addDS('.', "60820 8 2 A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538")

Add the following lines to /etc/powerdns/recursor.conf: 

lua-config-file=/etc/powerdns/config.lua
dnssec=log-fail

Note that this will validate correctly, but will only log bogus domains instead of returning SERVFAIL. This is fine in the DNSSEC testing period, but for full DNSSEC compliance, dnssec should be changed from log-fail to validate.

Restart PowerDNS: systemctl restart pdns-recursor

dnsmasq

Add the following lines to your dnsmasq.conf file: 

dnssec
trust-anchor=.,60820,8,2,A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538

Unbound

1. Generate the /etc/unbound/opennic.dnskey file: 

dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey

2. Edit /etc/unbound/unbound.conf and set the attribute auto-trust-anchor-file with the opennic.dnskey file: 

auto-trust-anchor-file: "opennic.dnskey"

3. Restart Unbound: systemctl restart unbound

Testing DNSSEC

Queries to a DNSSEC validating server with the DO flag set should return an answer with the ad (Authenticated Data) flag set in the header: 

root@korridor:~# dig pir.org +dnssec +multi @46.102.156.180

; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> pir.org +dnssec +multi @46.102.156.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22885
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; COOKIE: 641abe6c795889030100000069f2434e9c48eb04cf870e99 (good)
;; QUESTION SECTION:
;pir.org.		IN A

;; ANSWER SECTION:
pir.org.		299 IN A 141.193.213.20
pir.org.		299 IN A 141.193.213.21
pir.org.		299 IN RRSIG A 5 2 300 (
				20260512204001 20260428204001 42621 pir.org.
				FnApY4+UtOcd3InElCd8W9+q8koa8vw5qt68ZETv+EcN
				ZnTzUm2qW+9AqE7R0YfS2ZBs9c9fn65CuFsRr+ynEyI/
				OyekiTuLZhmgZjLR5bSlUi1dGPA0G1EUdBrZvaxJGb3z
				UYcjWXGoi6zhX7vqzuFwJ0VN7B0aYhQnyvU+0v8= )

;; Query time: 735 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Apr 29 19:43:42 CEST 2026
;; MSG SIZE  rcvd: 263

On these servers, attempting to resolve a domain with broken DNSSEC validation should return a SERVFAIL, without any DNS data: 

root@korridor:~# dig dnssec-failed.org +dnssec +multi @46.102.156.180

; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> dnssec-failed.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36673
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; COOKIE: dd4e47674a1c21f40100000069f24389ffb0f254c877cb94 (good)
;; QUESTION SECTION:
;dnssec-failed.org.	IN A

;; Query time: 1555 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Apr 29 19:44:41 CEST 2026
;; MSG SIZE  rcvd: 74

And finally, requesting a domain with no DNSSEC data should just return a normal response, with no ad flag: 

root@korridor:~# dig google.com +dnssec +multi @46.102.156.180

; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> google.com +dnssec +multi @46.102.156.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15620
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 19b6c445faa8b2370100000069f2442a56ff0168fadfb041 (good)
;; QUESTION SECTION:
;google.com.		IN A

;; ANSWER SECTION:
google.com.		285 IN A 142.251.38.142

;; Query time: 3 msec
;; SERVER: 46.102.156.180#53(46.102.156.180) (UDP)
;; WHEN: Wed Apr 29 19:47:22 CEST 2026
;; MSG SIZE  rcvd: 83
  • /wiki/data/pages/opennic/dnssec.txt
  • Last modified: 5 days ago
  • by joestr1