dnssec-tools and bind authoritative name server in Fedora

Some time ago, I wrote a post about using dnssec-tools for managing an authoritative name server in CentOS, now I’m going to extend it to cover their usage in a Fedora system.

First of all, I’m going to use the latest versions which currently is not in the repositories. Download the source rpm, recompile and install the rpms:
$ mock -r fedora-19-x86_64 dnssec-tools-2.0-1.fc18.src.rpm
# yum install /var/lib/mock/fedora-19-x86_64/result/*rpm

The configuration of bind as authoritative name server /etc/named.conf:

acl dns-slaves {;

acl trusted {

options {
  listen-on port 53 { any; };
  listen-on-v6 port 53 { any; };
  directory       "/var/named";
  dump-file       "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { any; };
  allow-query-cache { trusted; };
  allow-recursion { trusted; };
  allow-transfer { dns-slaves; };

  hostname "ns1.example.com";

  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";

  managed-keys-directory "/var/named/dynamic";

  pid-file "/run/named/named.pid";

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  channel null {
  channel default_syslog {
    syslog daemon;
    severity info;
  category queries { "default_syslog"; };
  category default { "default_syslog"; };
  category lame-servers { "default_syslog"; };

zone "." IN {
  type hint;
  file "named.ca";

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "example.com" IN {
  type master;
  file "masters/example.com.zone";

And this is my configuration of /etc/dnssec-tools/dnssec-tools.conf. Note that I have changed the random device to /dev/random, so it can take a while to generate the keys:

# DNSSEC-Tools Configuration

# Settings for DNSSEC-Tools administration.
admin-email     hostmaster@example.com
mailer-type     smtp
mailer-server   localhost

# Paths to needed programs.  These may need adjusting for individual hosts.
genkrf          /usr/bin/genkrf
keyarch         /usr/bin/keyarch
rollchk         /usr/bin/rollchk
rollctl         /usr/bin/rollctl
zonesigner      /usr/bin/zonesigner

keygen          /usr/sbin/dnssec-keygen
rndc            /usr/sbin/rndc
zonecheck       /usr/sbin/named-checkzone
zonesign        /usr/sbin/dnssec-signzone

zonecheck-opts  -i local

# The name of the Perl module that will be used to parse zone files.
# Net::DNS::ZoneFile::Fast is the default and isn't required to be set.
# zonefile-parser       Net::DNS::ZoneFile::Fast

# Settings for dnssec-keygen.
algorithm       rsasha256
ksklength       2048
zsklength       1024
random          /dev/random

; Settings for dnssec-signzone.
endtime         +2592000                # RRSIGs good for thirty days.

# Life-times for keys.  These defaults indicate how long a key has
# between roll-overs.  The values are measured in seconds.
# Sample values:
#       3600            1 hour
#       86400           1 day
#       604800          1 week
#       2592000         30-day month
#       7884000         13 weeks, 6 hours
#       15768000        1 half-year
#       31536000        1 year
#       94608000        3 years, 3 days
ksklife         31536000
zsklife         7884000
lifespan-max    94608000
lifespan-min    3600

# Settings that will be noticed by zonesigner.
# default_keyrec        output.krf
archivedir      /var/lib/dnssec-tools/KEY-SAFE
entropy_msg     1
savekeys        1
kskcount        1
zskcount        1

# To fix a problem with NSEC3
# https://bugs.launchpad.net/ubuntu/+source/dnssec-tools/+bug/1215093
zonesign-opts -u -O full

# Settings for rollover-manager.
autosign        1
roll_loadzone   1
roll_logfile    /var/log/dnssec-tools/log-rollerd
roll_loglevel   info
roll_phasemsg   long
roll_sleeptime  60
# roll_username some_user
zone_errors     3

log_tz          local

# GUI-usage flag.
usegui          0

I’m going to use the directory /var/lib/dnssec-tools to store the keys. To generate the keys and sign our zone we use the zonesigner command:

# mkdir /var/lib/dnssec-tools
# chmod 0700 /var/lib/dnssec-tools
# cd /var/lib/dnssec-tools
# /usr/bin/zonesigner -verbose -genkeys -dtconfig /etc/dnssec-tools/dnssec-tools.conf  -usensec3 -szopts "-u -O full" -zone example.com /var/named/masters/example.com.zone

This will generate a example.com.zone.signed file, with the signed data of your zone. You have to point named to load that zone:

zone "example.com" IN {
  type master;
  file "masters/example.com.zone.signed";

and reload (note that zonesigner increases the SOA serial automatically):
# rndc reload

It’s very important to set the DS record in your registrar, you can get it from /var/lib/dnssec-tools/dsset-example.com.

Now our signed zone is fully functional, but to ease the management there are some handy tools in the dnssec-tools package which automates the key management process:

Rollerd is responsible of the key rollover process when the keys are about to expire, and donutsd periodically checks the zone for errors. To launch them, I have created these systemd unit files:


Description=Rollerd daemon
After=network.target named.service

ExecStart=/usr/bin/rollerd -rrfile /etc/dnssec-tools/all.rollrec -zsargs "=usensec3 =szopts '-u -O full'"



Description=Donutsd daemon
After=network.target named.service

ExecStart=/usr/bin/donutsd -a "-v --level=8 -features=live,nsec_check --rules=/usr/share/dnssec-tools/donuts/rules/*.txt" -f hostmaster@example.com -e my_mail@example.com -i /etc/dnssec-tools/checkzones.txt -z 3600 -v


To create the configuration of rollerd:

# rollinit -directory /var/lib/dnssec-tools -zonefile /var/named/masters/example.com.zone.signed -keyrec ./example.com.krf -admin hostmaster@example.com example.com >> /etc/dnssec-tools/all.rollrec

And for the list of domains donutsd has to check, create the file /etc/dnssec-tools/checkzones.txt:

/var/named/masters/example.com.zone.signed     example.com    hostmaster@example.com

Reload the systemd config and start the services:

# systemctl daemon-reload --system
# systemctl enable rollerd.service donutsd.service
# systemctl start rollerd.service donutsd.service

When you want to modify the zone file, make your changes to the unsigned zone file /var/named/masters/example.com.zone and then run a script like this:

cd /var/lib/dnssec-tools
/usr/bin/zonesigner -rollmgr rollerd -dtconfig /etc/dnssec-tools/dnssec-tools.conf  -usensec3 -szopts "-u -O full"  -zone example.com -krf ./example.com.krf -signonly /var/named/masters/example.com.zone /var/named/masters/example.com.zone.signed
/usr/sbin/rndc reload

To manually check the correctness of the zone, here is another script to launch donuts:

/usr/bin/donuts -v -v --level=8 -features=live,nsec_check --rules=/usr/share/dnssec-tools/donuts/rules/*.txt  /var/named/masters/example.com.zone.signed example.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s