DNSSEC validation

This is advice on how to configure your own recursive nameservers to peform DNSSEC validation, based on the configuration we are currently using on the central CUDN recursive nameservers.

With any BIND version from 9.8 onwards, you can turn on validation by specifying the following in your named.conf file. This uses the trust anchors that are compiled in to BIND, and it will automatically update them if there is a controlled key rollover.

options {
    # ... other options ...
    dnssec-validation auto;
};

In October 2018, there was a root DNSSEC key rollover.

If you are running BIND 9.11, you can verify your server trusts the correct root keys using rndc. The following example dates from shortly after the new root key was introduced; the output will look similar until the old root key is revoked early in 2019.

$ rndc managed-keys status
view: _default
next scheduled event: Tue, 18 Jul 2017 18:04:09 GMT

name: .
keyid: 19036
    algorithm: RSASHA256
    flags: SEP
    next refresh: Tue, 18 Jul 2017 18:04:09 GMT
    trusted since: Wed, 06 Apr 2016 14:33:22 GMT
keyid: 20326
    algorithm: RSASHA256
    flags: SEP
    next refresh: Tue, 18 Jul 2017 18:04:09 GMT
    trust pending: Thu, 10 Aug 2017 18:04:09 GMT