dnssec, Bind9 on Alpine

Signing your zones might sound complicated, here are 5 steps to get going on Alpine Linux 3.12 with Bind 9.14.


1) Create the bind config

Make sure to fulfil the necessary dependencies! The command for alpine is “apk add bind bind-dnssec-tools”

# vi /etc/bind/named.conf

/etc/bind/named.conf
options {
    directory "/var/bind";
    listen-on { 127.0.0.1; };
    listen-on-v6 { none; };
    allow-transfer { none; };
    pid-file "/var/run/named/named.pid";
    allow-recursion { none; };
    recursion no;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
};

2) Create your zonefile

cd /etc/bind/zones
vi bekla.ga

/etc/bind/zones/bekla.ga
$ORIGIN bekla.ga.
$TTL 1h
@ IN SOA ns1.bekla.ga. sysop.bekla.ga. ( 202007 1d 2h 4w 1h )
@ IN NS ns1
@ IN A 45.136.156.16
@ IN TXT "v=spf1 include:asbra.nu -all"
ns1 IN A 45.136.156.16
www IN A 45.136.156.16


3) Create script for generating dnssec signed zones

vi ./generate_dnssec.sh bekla.ga

4) Make script executable & run

chmod +x ./generate_dnssec.sh bekla.ga
./generate_dnssec.sh bekla.ga

/etc/bind/zones/generate_dnssec
#!/bin/sh
[[ $# -lt 1 ]] && echo "Missing arg" && exit 1
DOMAIN="$1"
if [[ ! -f K${DOMAIN}.key && ! -f K${DOMAIN}.private ]]
then
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $DOMAIN
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $DOMAIN
for key in ls K${DOMAIN}*.key ; do echo "\$INCLUDE $key">> $DOMAIN ; done
fi
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o $DOMAIN -t $DOMAIN

5) Add zone file to bind

vi /etc/bind/named.conf

/etc/bind/named.conf
zone "bekla.ga" IN {
    type master;
    file "/etc/bind/zones/bekla.ga.signed";
};