How to Sign a Zone

Author: DM47
2/2/2009 11:23:09 AM

The following steps are taken from tips from the .pr and .gov TLDs. There really
isn't much to the initial signing of the zone. There are some considerations and
consequences to make sure you are aware of:

  • The signing with any software prior to Bind 9.6.0 will open your domain up
    for enumeration. (e.g. will now be visible by NXDOMAIN records
    if it was a hidden server in prior to DNSSEC zone signing)
  • The upgrade to Bind 9.6.0 does not automatically enable NSEC3 which hashes
    the child names and protects them from enumeration
  • Many organizations want all children enumerable/walkable by google, msn,
    yahoo, etc. so they do not want to sign using NSEC3
  • The salt used when signing NSEC3 should change every time you sign the zone
  • Using the -A option when signing with NSEC3 does not protect against negative
    existence validation, which is a way to validate the domain name does not exist
  • Basic signing steps are to generate keys, sign zone, and upload DSSET file
    generated to the parent domain administration server
  • Your zone should be resigned at least every 90 days and whenever the zone
  • You should upload the auto-generated DSSETs when the contents change to
    the parent domain administration server after zone signing. You can use this
    simple NSEC3 zone signing shell script to know when to upload:

    cp last-dsset.txt old-dsset.txt
    mv last-dsset.txt
    dnssec-signzone -a -N increment -H 10 -3 aaaa \
    -k \
    diff last-dsset.txt

    If there is a difference in the dsset file, then it will need to be uploaded to the
    parent zone administration system. Some administration systems (like .gov)
    will use the initial key uploaded to automate this task for its children. There
    are products available to manage this for any sized organization or name service.
    Be sure to publish the old and new KSK when rolling keys and double sign the
    zone with both keys for the full TTL periord to allow for a graceful retirement of
    keys within your zones.

    To sign with Bind 9.6.0 and NSEC or NSEC3, use the following instructions.
    Remember, you must substitue your domain name for the '':

    To sign using NSEC only, follow the Option B steps in the above instructions.

    After zone signing, restarting your named service and uploading the public
    KSK to the parent, you can test the key validation here at the dnssecreport
    web site at:

  • 2/2/2009 3:55:12 PM

    You now have signed one zone file and may be looking
    for ways to manage the many zones that you currently manage.

    You would like to protect the private keys, keep the dssets up to
    date, and resign the zones with as much automation as possible.
    There are products you can purchase to perform these tasks.
    However, may want to try this manual process until you
    understand what may need be automated for your organization.

    Step #1: Download the tools

    We recommend signing the zones offline on a computer that
    has the ability to burn a CDR or write to a USB memory stick to
    backup and preserve the zones and keys.

    Download the latest BIND keygen and zone signing tools for
    Windows here:

    Open and unzip these tools into /Windows/System32

    Step #2: Create Zone folders

    Lets say you have 6 zones that you wish to sign and maintain.
    We recommend you create a folder to store all your zones, keys, and
    scripts for fictitious zones named,,,,
    and vanity2 in the same TLDs:


    Each of the remaining steps will need to be repeated for every zone in your

    Step #3: Copy zone files from Master DNS

    Copy the vanity zone files from the Master DNS. You may wish to use
    encrypted zip files, email and/or scp to move files between the Master
    and the signing computer. After the copy is complete, disconnect this
    signing computer from the network.

    Step #4: Create KSK and ZSK keys

    Use the downloaded tools in Step #1 to generate the keys in a 'cmd'

    NSEC3 (more secure)

    dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE
    dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE
    dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE

    Alternate signing: NSEC (allows zone enumeration)

    dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE
    dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE
    dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE

    Notice: These commands may take up to 1 hour each. You may
    want to script these jobs in a bat file for all your zones and allow to run

    Step #5: Update zone files

    Before you sign the zones, the keys will need to be incorporated
    into the zone files.

    Use the following procudure:

    Repeat for every zone in your zone folder

    Step #6: Sign the zones

    Use either the NSEC or NSEC3 signzone procedure to sign each zone.
    Below is a sample script to be used to compare dssets and determine
    the need to upload to parent zone administrator after the signing.
    We recommending this script be created in each zone folder and
    tailored to the domain name.

    NSEC3 (more secure)

    cp last-dsset.txt old-dsset.txt
    mv last-dsset.txt
    dnssec-signzone -a -H 10 -3 aaaa \
    -k \
    diff last-dsset.txt

    Alternate signing, NSEC (allows zone enumeration)

    cp last-dsset.txt old-dsset.txt
    mv last-dsset.txt
    dnssec-signzone -a \
    -k \
    diff last-dsset.txt

    Check the diff results of the dsset files. If they have changed
    or if this is the first signing, follow the published procedures
    to upload the dssets and keysets to the parent zone

    Continue on to Step #7, here:

    2/2/2009 4:25:34 PM

    This is a continuation from How to Sign Multiple Domains, Part I

    Step #7: Backup MyZoneFolder and delete private keys

    Now that we have generated keys and signed the zones, it is
    time to burn the MyZoneFolder to a CD or copy to USB Memory and lock
    these files up in a file cabinet. Develop a disaster plan to manage
    zone signing and key rolling in the event something happens to
    the primary system administrator. Next, delete all of the private
    keys (3 each folder) from the signing computer prior to connecting
    to the internet for transfer. This will ensure that no one will have
    the private key and the ability to create a signed zone file that would be
    validated using your public keys.

    Step #8: Transfer public keys and signed zones to Master DNS

    Now that the zone is signed, you may upload the vanity*.*.signed
    files to the Master DNS using scp, pgp or some other means to
    secure the files during transfer. Be sure to update the named.conf file
    on the Master DNS to the following:

    zone "" {
    type master;
    file "";

    options {
    dnssec-enable yes;

    Be sure to repeat these changes for all zones you are signing
    and restart the name service when changes are finished.

    Step #9: Transfer DSSETs to parent zone administration server

    If this is the initial signing, you will need to upload the dssets
    and/or keyset files generated during the signing process to the
    parent zone administrator to include during the parent signing
    process. If the parent is not signed, then you will want to inform a DLV
    of the signing and updated your recursive name servers to use the
    DLV to validate DNS queries.

    See the following article:

    Step #9: Test your keys and DSSETs

    You may test your DNSSEC signing at any stage in the process

    Step #10: Resign your zone

    At least monthly or whenever a zone changes, you will need to
    restore the MyZoneFolder saved onto CD or USB Memory stick and
    repeat Steps #4 to #9. Remember to disconnect your computer
    during the restore process and prior to reconnecting to upload
    the vanity*.*.signed files and DSSET and KEYSET files to the
    parent zone (if there are changes).

    You now have developed a simple, repeatable, zone signing procedure for
    resigning all of your zones that could withstand the scrutiny of a security audit.