plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

dns/bind: enable DNSSEC zone signing

Open FeKn opened this issue 1 year ago • 1 comments

Enables the configuration of 'dnssec-policy' and 'inline-signing' to primary zones for automatic DNSSEC signing. The field 'DNSSEC policy' in the settings of primary zones allows the selection of the 'default' built-in policy or a 'custom' policy. This 'custom' 'dnssec-policy' can be configured within the 'General' tab (see example in help text). Checking the 'DNSSEC inline-signing' checkbox in the primary zone settings enables 'inline-signing' (see help text).

FeKn avatar Sep 27 '24 14:09 FeKn

Some additional information:

The required DNSSEC keys are generated fully automatically by BIND after activation of the 'dnssec-policy' and stored by default in /usr/local/etc/namedb/working/. The location can be adjusted as required using key-directory.

The 'dnssec-policy' default generates a Combined Signing Key (CSK). Dedicated Zone Signing Keys (ZSK) and Key Signing Keys (KSK) can also be generated with the 'dnssec-policy' custom (see example in help text of the 'custom DNSSEC policy' field).

The zone is signed automatically by BIND each time the zone is changed.

The appropriate public CSK or KSK can then be added as a DS record in the superordinate DNS zone, so that the primary zone managed by OPNsense is classified as trusted.

FeKn avatar Oct 01 '24 18:10 FeKn

stale for too long, too much changes in the bind plugin which might have made this less relevant.

AdSchellevis avatar Dec 17 '25 08:12 AdSchellevis