Configure BIND 9

4min
This section explains how to configure BIND 9 to integrate with  for storing keys used in signing zone files. Before proceeding, ensure that BIND 9 is installed and configured according to your specific requirements.
Generate a key
To generate the keys, use pkcs11-tool from OpenSC. The package is called opensc on both DEB-based and RPM-based distributions.
1
Install the opensc package.
On DEB-based distributions use:
On RPM-based distributions use:
2
Generate two RSA keys in  using pkcs11-tool: the Key Signing Key (KSK) and the Zone Signing Key (ZSK). The commands prompt for the user PIN. Enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Each key must have a unique label because that label will be used to reference the private key.
Shell
sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:2048 --label "example.com-ksk"

sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:1024 --label "example.com-zsk"
sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:2048 --label "example.com-ksk"

sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:1024 --label "example.com-zsk"
﻿
The command output should look similar to the following:
Shell
Key pair generated:
Private Key Object; RSA 
  label:      example.com-ksk
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      example.com-ksk
  Usage:      encrypt, verify, wrap
Key pair generated:
Private Key Object; RSA 
  label:      example.com-ksk
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      example.com-ksk
  Usage:      encrypt, verify, wrap
﻿
3
Convert the RSA keys stored in  into a format that BIND 9 understands by using the dnssec-keyfromlabel tool from BIND 9, which links the raw keys stored in  with K<zone>+<alg>+<id> files that are generated when the command is run. 
Provide the following elements:
 OpenSSL engine name (pkcs11)
The algorithm (RSASHA256)
The PKCS #11 label that specifies the token (Futurex)
The name of the PKCS #11 object (called label when generating the keys using pkcs11-tool)
The HSM PIN (the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file)
The private key file is used for DNSSEC signing of the zone as if it were a conventional key on the file system (that is, one created with dnssec-keygen). The key material is stored in  (and we cannot extract it), and the actual signing takes place on the .
KSK:
Shell
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-ksk;pin-value=identity_password" -f KSK example.com
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-ksk;pin-value=identity_password" -f KSK example.com
﻿
Change the identity_password value to the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
ZSK:
Shell
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-zsk;pin-value=identity_password" example.com
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-zsk;pin-value=identity_password" example.com
﻿
Change the identity_password value to the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Confirm that you have one KSK and one ZSK present in the current directory:
Shell
ls -l K*
ls -l K*
﻿
The output should look like this (the second number will be different):
Text
Kexample.com.+008+31729.key
Kexample.com.+008+31729.private
Kexample.com.+008+42231.key
Kexample.com.+008+42231.private
Kexample.com.+008+31729.key
Kexample.com.+008+31729.private
Kexample.com.+008+42231.key
Kexample.com.+008+42231.private
﻿
Sign the zone
The zone signing occurs per the regular process, with only one small difference. Again, we need to provide the name of the OpenSSL engine using the -E command line option.
The KSK, ZSK, and zone files must be present in the directory from which you are running the command.
The following command syntax should be used:
Shell
sudo dnssec-signzone -E pkcs11 -S -o <zone name> <zone file>
sudo dnssec-signzone -E pkcs11 -S -o <zone name> <zone file>
﻿
As an example, the command could look like this:
Shell
sudo dnssec-signzone -E pkcs11 -S -o example.com db.example.com
sudo dnssec-signzone -E pkcs11 -S -o example.com db.example.com
﻿
If the command succeeds, the output looks similar to the following:
Text
Fetching KSK 31729/RSASHA256 from key repository.
Fetching ZSK 42231/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                  ZSKs: 1 active, 0 stand-by, 0 revoked
db.example.com.signed
Fetching KSK 31729/RSASHA256 from key repository.
Fetching ZSK 42231/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                  ZSKs: 1 active, 0 stand-by, 0 revoked
db.example.com.signed
﻿
﻿
Updated 10 Dec 2024
Did this page help you?
Install and configure OpenSSL Engine
Firewall