Applying the chain of trust - BIND version 9.4

Now that you have a secured root, you can secure the rest of your child zones. In this case, we are working to secure the zone

Follow these steps to secure your remaining child zones:

  1. Generate the key pairs using the dnssec-keygen command:
    dnssec-keygen -a RSA -b 512 -r /usr/sbin/named -n ZONE
    The r flag specifies a random input file.
  2. Make a keyset by running the dnssec-makekeyset command:
    dnssec-makekeyset -t 172800
    where is your own public key.

    This creates a keyset file called

  3. Send this keyset file to the parent zone to get it signed. In this case, our parent zone is the secure root zone
  4. The parent must sign the key using its private key.
    This will generate a file called, and the parent will need to send this file back to the child zone.
  5. On the child name server for zone, add $INCLUDE to the plain zone file Remember to place the file in the same location as the zone file When the zone is signed in the following step, the program will know to include, which was received from the parent.
    $TTL 3h    ;3 hour
    @ IN    SOA  (
                    1       ;serial
                    3600    ;refresh
                    600     ;retry
                    3600000 ;expire
                    86400   ;negative caching TTL
  6. Sign the zone using the dnssec-signzone command:
    dnssec-signzone -o
  7. Modify the named.conf file on the child zone to use the new signed zone file ( For example:
    options {
            directory "/usr/local/domain";
    zone "" in {
            type master;
            file "";
  8. Refresh the name server.

For information on troubleshooting, see Name resolution problems.