If you are like me you would like to have signed zones for your domains. Its not something you have to do but soon, I think, we all are going to be obliged to sign our zones. Read here : http://blog.icann.org/2014/01/dnssec-surpasses-50/ Anyhow, I visit ISPconfig roadmap and I really like how developers of ISPconfig are doing their job. I mean everyone wants something. Me too. So heres something in return but I do not promise its worth reading. How to sign your zones with ISPconfig on Ubuntu 12.04 LTS ::Easy Part:: 0. become a root on your sistem by typing : sudo su 1. Enable DNSSEC in /etc/bind/named.conf.options -- you can use vi or nano to do this so : Code: vi /etc/bind/named.conf.options Add lines inside options : dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; my named.conf.options looks like this: Code: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== // dnssec-validation auto; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; 2. Go to the folder where your zones are stored. On my sistem they are located in /etc/bind so you type: cd /etc/bind 3. Install haveged. This little thing speeds up generating keys. so you type : Code: apt-get install haveged 4. Generate a zone signing key ie. zsk by typing: Code: dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com 5.Generate key signing key aka ksk : Code: dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com 6. Now u will have 2 pair of keys -- public and private for ZSK and KSK. We need to add public keys that contain the DNSKEY to zone file. type: Code: vi loop.sh and add this : Code: for key in `ls Kexample.com*.key` do echo "\$INCLUDE $key">> pri.example.com done Now execute loop.sh by typing: Code: sh loop.sh 7. Sign the zone with dnssec-signzone command: Code: dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t pri.example.com This will create signed zone named : pri.example.com.signed 8. edit named.conf.local file located in /etc/bind folder so type: Code: vi /etc/bind/named.conf.local and add those lines in it: Code: zone "example.com" { type master; file "pri.example.com.signed"; allow-transfer { 2.2.2.2; }; allow-update { none; }; }; 9. Reload bind type: Code: service bind9 reload 10. check DNSKEY record with this command: Code: dig DNSKEY example.com. @localhost +multiline you must have something like this: Code: ;; QUESTION SECTION: ;example.com. IN DNSKEY ;; ANSWER SECTION: example.com. 86400 IN DNSKEY 256 3 7 ( AwEAActPMYurNEyhUgHjPctbLCI1VuSj3xcjI8QFTpdM 8k3cYrfwB/WlNKjnnjt98nPmHv6frnuvs2LKIvvGzz++ kVwVc8uMLVyLOxVeKhygDurFQpLNNdPumuc2MMRvV9me fPrdKWtEEtOxq6Pce3DW2qRLjyE1n1oEq44gixn6hjgo sG2FzV4fTQdxdYCzlYjsaZwy0Kww4HpIaozGNjoDQVI/ f3JtLpE1MYEb9DiUVMjkwVR5yH2UhJwZH6VVvDOZg6u6 YPOSUDVvyofCGcICLqUOG+qITYVucyIWgZtHZUb49dpG aJTAdVKlOTbYV9sbmHNuMuGt+1/rc+StsjTPTHU= ) ; key id = 40400 example.com. 86400 IN DNSKEY 257 3 7 ( AwEAAa2BE0dAvMs0pe2f+D6HaCyiFSHw47BA82YGs7Sj qSqH3MprNra9/4S0aV6SSqHM3iYZt5NRQNTNTRzkE18e 3j9AGV8JA+xbEow74n0eu33phoxq7rOpd/N1GpCrxUsG kK4PDkm+R0hhfufe1ZOSoiZUV7y8OVGFB+cmaVb7sYqB RxeWPi1Z6Fj1/5oKwB6Zqbs7s7pmxl/GcjTvdQkMFtOQ AFGqaaSxVrisjq7H3nUj4hJIJ+SStZ59qfW3rO7+Eqgo 1aDYaz+jFHZ+nTc/os4Z51eMWsZPYRnPRJG2EjJmkBrJ huZ9x0qnjEjUPAcUgMVqTo3hkRv0D24I10LAVQLETuw/ QOuWMG1VjybzLbXi5YScwcBDAgtEpsQA9o7u6VC00DGh +2+4RmgrQ7mQ5A9MwhglVPaNXKuI6sEGlWripgTwm425 JFv2tGHROS55Hxx06A416MtxBpSEaPMYUs6jSIyf9cjB BMV24OjkCxdz29zi+OyUyHwirW51BFSaOQuzaRiOsovM NSEgKWLwzwsQ5cVJBEMw89c2V0sHa4yuI5rr79msRgZT KCD7wa1Hyp7s/r+ylHhjpqrZwViOPU7tAGZ3IkkJ2SMI e/h+FGiwXXhr769EHbVE/PqvdbpcsgsDqFu0K2oqY70u SxnsLB8uVKYlzjG+UIoQzefBluQl ) ; key id = 62910 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Nov 27 18:18:30 2013 ;; MSG SIZE rcvd: 839 10. When we used dnssec-signzone command a file named dsset-example.com was created containing DS records for our domain that we must enter into DS records on the domain registrar panel. I used Godaddy to do this. Important note: every time when you change something in the zone file like adding a subdomain etc etc you will have to recreate a signed zone for the domain. Also, you have to make changes to unsigned zone not the signed one. Once you made the changes you will have to sign a zone ... again. So in order to save us some time we will create a script: Code: vi /usr/sbin/zonesigner.sh and add those lines in it: Code: #!/bin/sh PDIR=`pwd` ZONEDIR="/var/cache/bind" #location of your zone files ZONE=$1 ZONEFILE=$2 DNSSERVICE="bind9" #On CentOS/Fedora replace this with "named" cd $ZONEDIR SERIAL=`/usr/sbin/named-checkzone $ZONE $ZONEFILE | egrep -ho '[0-9]{10}'` sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' $ZONEFILE /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $1 -t $2 service $DNSSERVICE reload cd $PDIR make it executible: chmod +x /usr/sbin/zonesigner.sh So everytime you change something to your zone file (again dont make any changes in signed zone but to unsigned one) type this: Code: zonesigner.sh example.com pri.example.com this will recreate a file pri.example.com.signed Now this one was easy. Now the hard part with ISPconfig. Ispconfig is not created to handle signed zones. so every time you make changes to your zone file it will overwrite named.conf.local and put normal aka unsigned zone file instead of one we signed. This is normal. Also it will overwrite the named.conf.local even if we do resync DNS zones with Tools--> resync option. I have 5 domains on my VPS but only one is signed, so I copied pri.example.com file to my home folder. Then I deleted the zone from ISPconfig and then put back the pri.example.com file in /etc/bind Now there I have among other zones two of my own : pri.example.com and pri.example.com.signed In order to avoid ISPconfig overwirting named.conf.local with resync DNS I created a file : named.conf.signed and put this into it: then edit named.conf Code: vi /etc/bind/named.conf and put this : Code: include "/etc/bind/named.conf.signed" Thats it for now Oh yeah, this is not my wisdom. I documented what I did in a txt file. As soon as I find source for this how-to I will post the link.