Setting DNSSEC for Domains in OpenPanel

Here is how to enable DNSSEC for Domains hosted on OpenPanel. Note: I will use example.net as the domain name in all the code, make sure to replace it with your domain that will be using DNSSEC.

First step is to add the domain name and set the nameservers hosted on OpenPanel server. After that follow these steps to generate and setup DNSSEC:

Step 1. Create the keys for domain

Enter the /var/cache/bind directory where we will store the keys and run the command to generate two key pairs for the domain example.net

cd /var/cache/bind && dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.net

cd /var/cache/bind && dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE example.net

Example outputs:

The directory will now have 4 keys – private/public pairs of ZSK and KSK.

Step 2. Add the keys to the DNS zone for domain

Next step is to add the public keys which contain the DNSKEY record to the zone file. The following for loop will add both public keys to the example.net domain zone:

for key in ls Kexample.net*.key do echo "\$INCLUDE $key">> /etc/bind/zones/example.net.zone done

Step 3. Sign the keys

After creating key pairs and adding the public keys to the zone file, next step is to sign the keys

dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.net -t /etc/bind/zones/example.net.zone

Step 4. Replace zone with zone.signed

Next step is to replace the link in the main configuration file, from the existing example.net.zone to the newly generated example.net.zone.signed file:

sed -i "/zone \"example.net\"/,/file/s|(file \"/etc/bind/zones/example.net.zone)|\1.signed|" /etc/bind/named.conf.local

and reload the service for the change to take effect:

service bind9 restart

Step 4. Test

dig command can be used to check if the local dns zone responds with a DNSKEY for example.net` domain`dig command can be used to check if the local dns zone responds with a DNSKEY for example.net` domain

dig DNSKEY example.net. @localhost +multiline

Example output:

If you do not see the DNSKEYs in the output then something is not set correctly and make sure to repeat the steps.

Step 4. Set the DS at your registar

When we ran the dnssec-signzone command, a file named dsset-example.net was also created, this contains the DS record:

This record has to be entered in your domain registrar’s control panel so that the DNSSEC can be completed.

Login to your domain registrar’s control panel, choose your domain, and select the option to manage DS records, then add the record.

NOTE: After making changes in the zone, it needs to be signed again and serial number updated. Make sure to edit records using the OpenPanel > Zone Editor so that these actions are performed automatically after every change.