Nsd /

Configuring DNSSEC for NSD

This guide assumes you are providing DNS for your domain through NSD.

First step is to install ldns-utils package by NLnet Labs

# pkg_add ldns-utils

We then need to generate zone signing keys and key signing keys

# mkdir /var/nsd/zsks
# mkdir /var/nsd/ksks
# cd /var/nsd/zsks && ldns-keygen -a ECDSAP384SHA384 domain.com
# cd /var/nsd/ksks && ldns-keygen -k -a ECDSAP384SHA384 domain.com

Sign the zone with the ZSK and KSK and also enabling NSEC3. When generating the keys there will be specific numbers generated as part of the filename including your domain. When running the command ldns-signzone you will need to use the whole filename up to the period (.). See ldns-signzone(1) for more details.

# cd /var/nsd/zones/master
# ldns-signzone -n -o domain.com <zone-file> ../../zsks/Kdomain.comXXX ../../ksks/Kdomain.comXXX

This will generate a new zone file with the extension '.signed'. In this example the file would be called domain.com.signed.

Update nsd.conf to point to the new zone file and restart nsd. Check /var/log/messages for any errors.

At this point the final step is to login to your registrar to update the glue records. This is specific to each registrar. You will need the information in your ksks/*.ds file to copy/paste into the registrar.

Test if DNSSEC is working by typing your domain into https://dnssec-analyzer.verisignlabs.com/