DNSSEC signing and key management fully automated

BIND named 9.16 includes new DNSSEC Policy functionality

The developers of BIND named have completed the last step in the automation of DNSSEC (signing). From version 9.15.6, policies for key management and zone signing can be specified in the configuration file named.conf. The software will then automatically ensure that signatures (RRSIG records) and ZSK/KSK pairs are always up-to-date. As a result, scripts and cron jobs are no longer necessary to keep signed zones updated.

From version 9.15.6 of BIND named, you can specify a 'dnssec-policy' in named.conf. That's done by adding a statement to the zone configuration, as follows:

  zone "example.nl." {
      type master;
      file "db.example.nl";
      dnssec-policy "dnssec-policy-1";

The DNSSEC policy in turn points to a definition in the global configuration:

  dnssecpolicy "dnssec-policy-1" {

On page 136 of the BIND 9 Administrator Reference Manual (ARM) for version 9.15.7 and here on the BIND wiki a number of specimen policies (KASP configurations) are provided. As a result, signing and rollovers can be fully automated, and new ZSK and KSK pairs will be generated automatically whenever they are needed.

BIND version 9.16 ESV

The implementation of DNSSEC Policy is part of the 'DNSSEC Made Easy' initiative by BIND developer Matthijs Mekking. The new functionality was introduced in (development) version 9.15.6 and thus incorporated into BIND (stable) version 9.16.0, which will be released shortly. BIND version 9.16 is the successor to the current 9.11 Extended Support Version (ESV), which expires at the end of 2020. After that, only security patches will be provided for version 9.11, and only for a further year.


Automated key management

The current form of key management was introduced to BIND named in versions 9.7 to 9.11, inclusive, and is described in detail in this hands-on article. It began with the automatic (re-)signing of zones in versions 9.7/9.8 ('auto-dnssec maintain'), which was further incorporated within the code base in versions 9.9/9.10 (Inline-Signing). From version 9.11, key management was also automated by means of the 'dnssec-keymgr' command and associated policy file. That meant that the entire DNSSEC set-up was confined to the BIND configuration files, with just one final cron job for generating new key pairs (where necessary) using the 'dnssec-keymgr' command.

Much easier

Starting with BIND version 9.11, it was therefore much easier to enable DNSSEC than it had been with pre-9.7 versions, which supported DNSSEC but without any automation. With those earlier versions, you had to write and install your own scripts and cron jobs, or steer away from BIND altogether and use OpenDNSSEC to generate signed zone files. If you went for the latter option, BIND named simply had to (periodically) load and serve the signed zones. According to Mekking, both methods will remain available for the time being, but the intention is to phase out the 'dnssec-keymgr' command in due course. Auto-DNSSEC and Inline-Signing will ultimately go as well. The associated options 'auto-dnssec maintain;' and 'inline-signing yes;' – which most users will currently have in their configuration files – will not then be compatible with a 'dnssec-policy' configuration (with the result that named-checkconf will give an error message). "The idea behind DNSSEC Policy is that all DNSSEC (signing) options are included in a single statement, making the configuration much more straightforward," explains Mekking. "The DNSSEC Policy functionality isn't yet complete – it doesn't cover NSEC3, for example – but the missing features will be added to version 9.16 in the course of this year."


  • Friday 1 November 2019

    SIDN Labs

    The Internet Measurement Conference Goes nl


    Three papers and an award

    Read more
  • Monday 6 May 2019

    About SIDN

    ALLAI makes responsible artificial intelligence the norm


    Business community, policy-makers

    Read more
  • Tuesday 26 June 2018

    Internet security

    "People should be able to trust e-mail from their local authority"


    SIDN starts promoting the adoption of internet standards for secure e-mail

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.