Configure Bind 9

4min
﻿
This section explains how to configure BIND 9 to integrate with the  HSM to store the keys used for zone file signing. Before starting this section, install and configure BIND 9 per your specific requirements.
Perform the tasks in this section to configure Bind 9.
Generate keys
Perform the following steps by using the pkcs11-tool available from the OpenSC suite to generate keys. On both DEB-based and RPM-based distributions, the package is called opensc.
1
Generate the following RSA keys on the  by using pkcs11-tool: The Key Signing Key (KSK) and the Zone Signing Key (ZSK). When prompted for the user PIN, enter the password of the identity configured in the Futurex PKCS #11 file, fxpkcs11.cfg.
Each key must have a unique label because later commands use that label to reference the private key.
Shell
sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:2048 --label "example.com-ksk"
sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:2048 --label "example.com-ksk"
﻿
Shell
sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:1024 --label "example.com-zsk"
sudo pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so --login --keypairgen --key-type rsa:1024 --label "example.com-zsk"
﻿
The command output should look similar to the following:
Shell
Key pair generated:
Private Key Object; RSA 
  label:      example.com-ksk
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      example.com-ksk
  Usage:      encrypt, verify, wrap
Key pair generated:
Private Key Object; RSA 
  label:      example.com-ksk
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      example.com-ksk
  Usage:      encrypt, verify, wrap
﻿
2
To convert the RSA keys stored in the HSM into a format that BIND 9 understands, use the dnssec-keyfromlabel tool from BIND 9. This process links the raw keys stored in the HSM with K<zone>+<alg>+<id> files that the command generates. 
You need to provide the OpenSSL engine name (pkcs11), the algorithm (RSASHA256), and the PKCS #11 label that specifies the token (such as Futurex), the name of the PKCS #11 object (such as label when generating the keys with pkcs11-tool), and the HSM PIN.
The private key file is used for DNSSEC signing of the zone as if it were a conventional key on the file system (such as one created with dnssec-keygen). The HSM stores the key material (we cannot extract it), and the actual signing takes place on the HSM.
Run the following command to convert a KSK:
Shell
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-ksk;pin-value=safest" -f KSK example.com
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-ksk;pin-value=safest" -f KSK example.com
﻿
Run the following command to convert a ZSK:
Shell
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-zsk;pin-value=safest" example.com
sudo dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=Futurex;object=example.com-zsk;pin-value=safest" example.com
﻿
3
RUn the following command to confirm that you have one KSK and one ZSK present in the current directory:
Shell
ls -l K*
ls -l K*
﻿
The output should look similar to the following output (with different numbers):
Shell
Kexample.com.+008+31729.key
Kexample.com.+008+31729.private
Kexample.com.+008+42231.key
Kexample.com.+008+42231.private
Kexample.com.+008+31729.key
Kexample.com.+008+31729.private
Kexample.com.+008+42231.key
Kexample.com.+008+42231.private
﻿
Sign the zone
The zone signing occurs similarly to the regular process, but we need to provide the name of the OpenSSL engine by using the -E command line option.
The KSK, ZSK, and zone files must be present in the directory from which you run the command.
Use the following command syntax:
Shell
sudo dnssec-signzone -E pkcs11 -S -o <zone name> <zone file>
sudo dnssec-signzone -E pkcs11 -S -o <zone name> <zone file>
﻿
For example, you might use the following command:
Shell
sudo dnssec-signzone -E pkcs11 -S -o example.com db.example.com
sudo dnssec-signzone -E pkcs11 -S -o example.com db.example.com
﻿
If the command succeeds, the output looks similar to the following:
Shell
Fetching KSK 31729/RSASHA256 from key repository.
Fetching ZSK 42231/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
db.example.com.signed
Fetching KSK 31729/RSASHA256 from key repository.
Fetching ZSK 42231/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
db.example.com.signed
﻿
Inline signing in Bind
BIND 9.9 introduces a new inline-signing option, which allows named, the name daemon on Linux, to sign zones completely transparently. A server can load or transfer an unsigned zone and create a signed version that answers all queries and transfer requests without altering the original unsigned version. As you update the unsigned zone, named detects the changes you made and applies those changes to the signed version. This enables a seamless transition to DNSSEC with minimal disruption to existing systems.
This integration guide provides a basic example of configuring BIND 9 to integrate with the  HSM for private key storage and signing of zone files. If you want to implement inline signing in BIND, refer to the following Inline Signing article on the ISC knowledgebase website.
Updated 28 Aug 2024
Did this page help you?
Install and configure OpenSSL engine
Firewall