Creating custom DNS on a Gandi Server (installing BIND, and adding DNSSEC)

There are many ways to create a customer nameserver. Below presents a very quick step-by-step method for doing this with a Gandi Server (Ubuntu 12.04 LTS 64 bits) so that you can use your own, personalized DNS with your domain, as well as use DNSSEC as added security.

1. Create your Gandi server.

It is necessary to start by creating your server, as this will provide you with the IP address of your nameserver, as well as the machine onto which you will install the service. We will be installing BIND as the nameserver. For the sake of this guide, we will pretend that the IP address of our Gandi server is For help on this particular topic, see our wiki page at

2. Chose your domain and create the Glue Record

Decide what domain name you want your nameserver to be on. For the sake of this guide, we will pretend that it is, and that we want to make a personal nameserver called

Once you know what domain you will use, you can already create the nameserver's “Glue” at the registry from our “Glue Record” management page for your domain name. For instructions on using that page see

3. Install the nameserver (BIND)

You will now need to log into your Gandi Server via SSH (see how) and install BIND:

apt-get install bind9 dnsutils

4. Edit /etc/bind/named.conf.local

Using your favorite command-line editor, add a “zone” entry for the domain that will serve as the basis of your nameserver.

        zone "" {
             type master;
             file "/etc/bind/";
             allow-transfer {; };

To help understand, and therefore personalize the above, know that:

  • zone “”: Remember that in our example we chose “”. This will of course need to be replaced with your own domain name.
  • file ”/etc/bind/”; This is the location of the actual zone file for the domain Here, it is directly in the /bind/ directory for convenience, but you could put it at another location if you wish, as long as you are sure that every time you need the server to find the file, you specify the correct location.
  • allow-transfer {; }; This line is to allow for the zone to be transferred to Gandi's secondary DNS, NS6.GANDI.NET, as I have specified it's IP address. While I am using NS6.GANDI.NET as a secondary nameserver, you can replace it with another one or more of your choice or fabrication, just be sure to leave the ; after the last IP address within the bracket as shown above.

5. Make the zone file at /etc/bind/

Using your favorite console-based text editor, you will now need to create the zone file.

Below is an example of one that is for our fictitious domain, and IP address. It also includes the records needed for GandiMail to work, as I intend on using this domain name with GandiMail as well:

$TTL    10800
@       IN      SOA (
                              1         ; Serial
                          10800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS
ns1     IN      A

@  IN MX 10
@  IN MX 50
imap  IN CNAME
smtp  IN CNAME
webmail  IN CNAME

Please be sure that, if you use the above as an example for your zone, that you update the IP address, the domain, and the nameserver's name (ns1) to be the ones that you will be using.

6. Restart bind

You now need to reboot BIND in order for your changes to take effect:

init.d/bind9 restart

If it is unsuccessful, and you see [FAIL], you can use the following command line to see where the error is:

tail /var/log/daemon.log | grep named

7. Change your domain's DNS

Once you are sure that your nameserver is running, in order to use it, you will now need to change the DNS of your domain name so that it uses the newly created nameserver (see how).

Since this example was made for my personal nameserver ( and Gandi's secondary nameserver (NS6.GANDI.NET) I will need to replace whatever nameservers are currently being used for this domain name by those two.

Please wait 12-24 hours for propagation following your DNS update before testing the resolution via your domain name.

Configuring your custom DNS for DNSSEC

1. Edit named.conf.options

You will want to start by enabling your nameserver to handle DNSSEC. To do this, add the following three lines bewteen the { and } that follows “options” in the named.conf.options file:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

2. Generate your keys

Note that you may want to run a program to gain entropy so that this step goes faster (like this one), otherwise it may take a long time for your keys to be generated)

We will use the algorithm 7 (RSASHA1-NSEC3-SHA1) to generate your keys. To do this, go to the directory where your zones are located, and type the following (replacing with your own domain):

  dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE


  dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE

Once you have done that, you will see 4 new files in the directory, like this:  

3. Add the keys to your zonefile

In the .key files that you generated, you will see a line that looks something like: IN DNSKEY 256 3 7 AwEAAdiTdNNzO/2fcdF7PiUO5WA33AQZ5dmpgXaKq8TLjnNbZlQNEFDK aZTTPG2myhspl4MRNlrLDfTsONStV519+iSiEDk9NyJ4gzNLBCUit9Vf EFg+qiChjeiknIGLbDO0YkJ5YaIojRkgXPjf8Od5QUKGKzhAEnjfRkeT vllE70uTeoP8uWA3R9gaJO5vs1E3Jn+tP7YgLQ+zGcMfbL3EiSvx3Fd3 LVnIs/A6HzmnkoFf0BdYtP2PUgecTBhf4SNwnjefQw52A/newph97vxF C7urmFcfcJ4OirUv/sAhSvTeHXvOKIDibSy9C/kZ7m4J8Dkp3bONcKLx 6emsy/qJ30TnxD3+Bhzm0ASTQSk7ByR9Ef8QnJRgWIPnmxuHKWkk1X2q DiZN6amI0D0yfuJAtpHCqTrJ4YwRLTqlNyRd4ITFm5aUmalcFO5VDtfY C7AOP+c1SjzrDDO6gsqoptsT+8s4vRRZGa8E2kwr20r8cfTsAkWxsOH5 UOy4u1zaj+9hghqLUXY2LtT9P0/4+dPqn9VfIvPV8lsQjXp89Nn1RW6W jA9XEh1D/PEZTJXbH1ZWoSiesV7vzRV+eSx0IZcTEX8zCWXKQlkRaxep cognCMv8sAe+WKTIQl5etl0+0QuDcgOPXT0CjbWRbIXKa3xeVfhMGBra uEn7X8LnyEJVCJKJ

These are the DNSKEY records that you need to add to your zonefile. Copy them carefully and paste them into your zonefile. You can see what this looks like in the example below (don't forget to increment your zone file serial number):

$TTL    10800
@       IN      SOA (
                              2         ; Serial
                          10800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS
ns1     IN      A
@  IN MX 10
@  IN MX 50
imap  IN CNAME
smtp  IN CNAME
webmail  IN CNAME IN DNSKEY 256 3 7 AwEAAZt0RlA3cfU/z4IUYcUu7rKK0JYuy8Uy28+4j0WJ6UQZsFdifVr9 j1xnJqfyR24IDlp6TPFc9NjVb2uusdEDh2Iz19e6oQFTjlDsWn46WAxO PZcaydLzyBl7Cx40WMRX00ohgXxZLXNh5LrKg26TrFNgjbt5bM4vMNpg AcPk7aRPfv9xKyH0aW9FkQRoJM6eGkclpjpTzr+Gug1Oltl8tvb5FhZB GNWZr/A3M8LSdTpXgtbGcqbakHpFJL7CsvYmhTKXm/OknpPetfu6m5JR fdAga/vgOBmWu+0WbvHpkiPNhJrV4jKSWbsS85DefGCHlRkwwIjh28Gb lS5iFGD8/38= IN DNSKEY 257 3 7 AwEAAdiTdNNzO/2fcdF7PiUO5FA33AQZ5dmpgXaKq8TLjnNbZlQNEFDK aZTTPG2myhspl4MRNlrLDfTsONStV519+iSiEDk9NyJ4gzNLBCUit9Vf EFg+qiChjehknIGLbDO0YkJ5YaIojRkgXPjf8Od5QUKGKzhAEnjfRkeT vllE70uTeoP8uWA3R9gaJO5vs1E3Jn+tP7YgLQ+zGcMfbL3EiSvx3Fd3 LVnIs/A6HzmnuoFf0BdYtP2PUgecTBhf4SNwnjefQw52A/newph97vxF C7urmFcfcJ4OirUv/sAhSvTeHXvOKIDibSy3C/kZ7m4J8Dkp3bONcKLx 6emsy/qJ30TnxDv+Bhzm0ASTQSk7ByR9Ef8QnJRgWIPnmxuHKWkk1X2q DiZN6amI0D0yfuJAtkHCqTrJ4YwRLTqlNyRd4ITFm5aUmalcFO5VDtfY C7AOP+c1SjzrDDO6gQqoptsT+8s4vRRZGa8E2kwr20r8cfTsAkWxsOH5 UOy4u1zaj+9hghqLUXY2LtT9P0/4+dPqn9VfIvPV8lsQjXp89Nn1RW6W jA9XEh1D/PEZTJXbHAZWoSiesV7vzRV+eSx0IZcTEX8zCWXKQlkRaxep cognCMv8sAe+WKTIQl5etl0+0QuDcgOPXT0CjbWRbIXKa3xeVfhMGBra uEn7X8LnyEJVCJKJ

4. Sign your zone file

You now need to sign your zone file using the dnssec-signzone command.

dnssec-signzone -3 'random' -A -N INCREMENT -o -t

Be sure to replace “random” with at least 16 random letters and numbers (I used a result from for this), and be sure to adapt “” and “” to the name of your zone, and the name of your zone file.

Unless you made an error in your zone file, you should now see a result like this:

Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone signing complete:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
Signatures generated:                       20
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.066
Signatures per second:                 302.805
Runtime in seconds:                      0.123

5. Edit /etc/bind/named.conf.local

When you signed your zone file, it made a new file called This is where the RRSIG records are for each of your DNS records. In order for your server to know this, you need to update the named.conf.local file again.

This time, you will need to update the zone's file location from what it was:

      file "/etc/bind/";

To the new, signed one:

      file "/etc/bind/";

6. Reload bind and test

You may now reload the nameserver (by reloading you don't stop the DNS service, which would happen during a restart):

service bind9 reload

After this, you should be done. You can test the server to see how it works with:

dig DNSKEY @localhost   


dig A @localhost +noadditional +dnssec

If successful, you should see the DNSKEY and RRSIG keys respectively.

7. Add the DNSSEC keys at Gandi

Now that you are sure that your Nameserver is configured for DNSSEC, you need to use Gandi's DNSSEC interface to declare the keys at the registry.

In this example we used the algorithm 7 (RSASHA1-NSEC3-SHA1) when choosing via the Gandi interface, so you will chose that one on the form, if you used that one as well. For more information on this, see the DNSSEC interface wiki page at:

After this has been done, please Wait a bit to assure proper zone propagation before testing. If the test returns errors, but you feel they should be there, wait a bit longer and try again. Verisign labs has a good tool for testing:

See also

Last modified: 05/12/2016 at 11:31 by Larry B. (Gandi)