Signing your zones might sound complicated, here are 5 steps to get going on Alpine Linux 3.12 with Bind 9.14.
1) Create the bind config
Make sure to fulfil the necessary dependencies! The command for alpine is “apk add bind bind-dnssec-tools”
# vi /etc/bind/named.conf
/etc/bind/named.conf
options {
directory "/var/bind";
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
allow-recursion { none; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
};2) Create your zonefile
cd /etc/bind/zones vi bekla.ga
/etc/bind/zones/bekla.ga
$ORIGIN bekla.ga. $TTL 1h @ IN SOA ns1.bekla.ga. sysop.bekla.ga. ( 202007 1d 2h 4w 1h ) @ IN NS ns1 @ IN A 45.136.156.16 @ IN TXT "v=spf1 include:asbra.nu -all" ns1 IN A 45.136.156.16 www IN A 45.136.156.16
3) Create script for generating dnssec signed zones
vi ./generate_dnssec.sh bekla.ga
4) Make script executable & run
chmod +x ./generate_dnssec.sh bekla.ga ./generate_dnssec.sh bekla.ga
/etc/bind/zones/generate_dnssec
#!/bin/sh
[[ $# -lt 1 ]] && echo "Missing arg" && exit 1
DOMAIN="$1"
if [[ ! -f K${DOMAIN}.key && ! -f K${DOMAIN}.private ]]
then
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $DOMAIN
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $DOMAIN
for key in ls K${DOMAIN}*.key ; do echo "\$INCLUDE $key">> $DOMAIN ; done
fi
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o $DOMAIN -t $DOMAIN5) Add zone file to bind
vi /etc/bind/named.conf
/etc/bind/named.conf
zone "bekla.ga" IN {
type master;
file "/etc/bind/zones/bekla.ga.signed";
};