DNSSEC - many doubts

David Alexandre M. de Carvalho david at di.ubi.pt
Thu Apr 2 15:13:44 UTC 2020

Hello, good afternoon.
My first post in this list :)

I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6.
I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a
keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I
honestly don't know. So now I had some time and reading about this again.

If I query either of my servers about my domain:
dig @dns di.ubi.pt DNSKEY
I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet

my named.conf already has the following:

        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";

Outside the configuration file I also have a /etc/named.root.key

My questions:
1) Will my old servers (1GB RAM) become much slower with  DNSSEC? Is it worth it?
2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same
Keypair in all of them?
3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result
of the DNSKEY dig query but they are different.

Thank you so much for your time!
Best regards

Os melhores cumprimentos
David Alexandre M. de Carvalho
Especialista de Informática
Departamento de Informática
Universidade da Beira Interior

More information about the bind-users mailing list