Signing your SLD

By implementing DNSSEC, you introduce cryptographic certainty that when a person looks up a Domain Name with DNSSEC validation enabled, the answer received will be correct. In order to perform DNSSEC validation, there needs to be a trusted chain of signatures from the root zone (the invisible ‘dot’ at the end of a Domain Name), down to the right most component of a FQDN (Fully Qualified Domain Name) – e.g.

Any “gap” in the chain invalidates the DNSSEC validation, therefore it prohibits people below you on the DNS chain from being able to secure their own DNS.

A secured Zone also allows other material to be included into the Zone, such as TLSA records – which helps authenticate that SSL certificates that Secured Web sites use are in fact correct.

There are two methods to sign your zone that will be mentioned below – BIND or OpenDNSSEC. The Software is usually run on Linux (*nix) type systems.

In looking at the the provided methods of signing, you will see reference to the terms NSEC and NSEC3. For a Second Level Domain, you should choose NSEC3 over NSEC signing, which will stop your zone from being enumerated.

The other useful piece of information is that a nameserver should only have one role, it should either have Zones (authoritative) or be able to look up information (recursive). It should not do both – do not mix these roles. In order to test that DNSSEC is working, you need to ask a Recursive machine that can chase down signatures from the Root. Asking the Authoritative server directly will not work.




This is probably the most popular method of signing Zones and is used by many ccTLDs. The “OpenDNSSEC” software needs to be installed. It uses a second piece of equipment – an HSM (Hardware Security Module) – to create and store signatures. The HSM is also used to sign the Zone.

OpenDNSSEC also comes with a Software HSM so there is no need to purchase the Hardware version. ZA is signed by physical HSM’s as is the “root” of the Internet. Banks and similar organisations will probably do the same.

Most people though can rely on the “Soft” HSM. (BIND can also be configured to use HSM’s). Once set up, this runs automatically although like any software, may need a prod or two over time. The software comes with a How-To Guide on how to setup the software and get things running.


Bind sets the standard by which all other DNS systems emulate. BIND will allow a Zone to be automatically signed and keep it up to date. Currently though, Signatures need to be manually created, though this too will be automated. Technically, new signatures may only need to be required every few years – the Signatures in the Root are already over five years old.

To add DNSSEC to BIND – Have a look here:

Inline Signing in ISC-BIND
Inline Signing with NSEC3


The other side of signing is DNSSEC Validation. This is handled by the people who run Recursive Nameservers, the ISPs that provide access to the man in the street. Telkom SA amongst others already runs DNSSEC Validation, so as soon as your Zone is Signed, the DNSSEC side will be validated on behalf of a large proportion of end users in South Africa.


In order to sign the SLD to the parent zone .ZA, send the DS key to ZADNA.