eihnat/Wiki
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Page: dnssec how to
Pages
Home Infoblox - import to KVM/Proxmox dnssec how to homebrew guide stalwart_and_letsencrypt_dns01 how to
2 dnssec how to
Eduard Ihnat edited this page 2026-05-21 20:43:18 +02:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

DNSSEC HowTo for Knot DNS

This guide explains how to enable DNSSEC signing on a Knot DNS authoritative server and publish a DS record at any registrar. It uses a generic example domain (example.com) and is safe to share publicly.

Requirements

  • A working Knot DNS authoritative server.
  • A configured zone such as example.com.
  • Ability to edit /etc/knot/knot.conf and reload Knot.
  • A registrar that supports manual DS record entry (e.g., Namecheap).

Step 1: Create a DNSSEC Policy

Knot signs zones automatically based on DNSSEC policies.

Add this policy section to knot.conf:

policy:
  - id: default-dnssec
    algorithm: ecdsap256sha256
    rrsig-lifetime: 14d
    rrsig-refresh: 7d
    nsec3: off

Notes:

  • ecdsap256sha256 is modern and recommended.
  • Set nsec3: on if you prefer NSEC3.

Step 2: Enable DNSSEC on the Zone

Modify your zone definition:

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: default-dnssec

Knot will automatically:

  • Generate DNSSEC keys (KSK + ZSK)
  • Sign the zone
  • Maintain RRSIGs and NSEC/NSEC3 chains
  • Publish DNSKEY, RRSIG, CDS, and CDNSKEY records

Step 3: Reload Knot

Apply configuration changes:

sudo knotc reload

Check DNSSEC status:

sudo knotc zone-status example.com

Look for dnssec: signing in the output, which confirms automatic signing is active.

Step 4: Obtain the DS Record

Registrars require a DS record to activate DNSSEC.

Install BIND utilities (safe and compatible):

sudo apt install bind9-utils

Generate DS:

kdig DNSKEY example.com @127.0.0.1 | dnssec-dsfromkey -f - example.com

This outputs something like:

example.com. IN DS 12345 13 2 ABCDEF012345...

Fields:

  • KeyTag
  • Algorithm
  • DigestType
  • Digest

These values must be entered into your registrar.

Step 5: Add DS at Registrar

At your registrar's DNSSEC settings:

  1. Enable DNSSEC.
  2. Add a DS record using the values generated earlier.
  3. Save & wait 1060 minutes for the parent zone to publish it.

Verify via parent (e.g., .com):

kdig DS example.com @a.gtld-servers.net

If you see a DS record → DNSSEC is active globally.

Optional: Check CDS/CDNSKEY

Knot publishes CDS/CDNSKEY automatically:

kdig CDS example.com @127.0.0.1
kdig CDNSKEY example.com @127.0.0.1

Registrars that support RFC 7344 will automatically pick these up for future key rollovers.

Summary

You now have:

  • Automatic DNSSEC signing enabled on Knot DNS
  • DNSKEY, RRSIG, CDS/CDNSKEY automatically maintained
  • DS record added to registrar for global DNSSEC validation

This setup ensures secure, fully automated DNSSEC operation on your authoritative server.