How to setup DNSSEC on a BIND DNS server

Home > Search > How-to

Make the following configurations in the /etc/named.conf file.

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;


Move to the directory where your forward and reverse zone files are located, which is /var/named in this example, and create .key and .private files. Replace with the name of the domain you want to secure. This should create the public and private key files, such as and

[root@server1 ~]# cd /var/named/
[root@server1 ~]# dnssec-keygen -a RSASHA1 -b 2048 -n ZONE


Append the public key to the forward zone file. Make sure you use >> and not >, so that you do not overwrite your zone file.

[root@server1 ~]# cat*.key >>


Sign the zone file.

[root@server1 ~]# dnssec-signzone -e +3024000 -N INCREMENT


Restart named.

[root@server1 ~]# service named restart


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.