- The root zone is now signed! It's time to install the trust anchor on your recursive name servers. Getting it is more fiddly than it should be, since BIND does not recognize the format of the trust anchor as it is published by IANA.
- Get the root DNSKEY RR set which is roughly what BIND requires for trust anchors.
$ dig +multi +noall +answer DNSKEY . >root-dnskey
The resulting file contains two keys, a short-lived zone-signing key (flags = 256) and the key-signing key (flags = 257) which is the one we care about.
. 86400 IN DNSKEY 256 3 8 (
) ; key id = 41248
. 86400 IN DNSKEY 257 3 8 (
) ; key id = 19036
- Turn the DNSKEY into a DS RR set. The dnssec-dsfromkey program ignores the ZSK and only emits DS RRs for the KSK.
$ dnssec-dsfromkey -f root-dnskey . >root-ds
It emits two RRs, one using SHA-1 and one using SHA-256.
. IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
- Fetch https://data.iana.org/root-anchors/root-anchors.xml
which contains a copy of the SHA-256 DS record in XML format.
<?xml version="1.0" encoding="UTF-8"?>
<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
- You can also fetch https://data.iana.org/root-anchors/root-anchors.asc
and use it to verify the XML trust anchor using PGP.
- Verify that the XML trust anchor matches the DS record you generated from the DNSKEY record.
- Reformat the DNSKEY record into a BIND managed-keys clause. This tells BIND to automatically update the trust anchor according to RFC 5011.
"." initial-key 257 3 8 "
- Add the managed-keys clause to your named.conf
- In the options section of named.conf you should have the directive
This enables DNSSEC lookaside validation, which is necessary to bridge gaps (such as ac.uk) in the chain of trust between the root and lower-level signed zones (such as cam.ac.uk). BIND comes with a DLV trust anchor built in, which it will also update according to RFC 5011.
- $ rndc reconfig
- Check that DNSSEC validation is working. Verify that the "ad" (authenticated data) flag is present in the output of these commands:
$ dig +dnssec www.nic.cat.
$ dig +dnssec www.cam.ac.uk.
The first of these is validated using a chain of trust from the root - DNSSEC as it is ideally intended to work. The second relies on the DLV stop-gap.
Edited to add:
IANA have a tool written in Python called anchors2keys which does most of this automatically (er, for the ITAR not the root anchor). Jakob Schlyter has a Perl program called ta-tool which does a similar job. So does Bjørn Mork, who called his rootanchor2keys.pl. Stephane Bortzmeyer has a Makefile and XSLT script which also does the job.