VOOZH about

URL: https://www.digitalocean.com/community/tutorials/how-to-set-up-dnssec-on-an-nsd-nameserver-on-ubuntu-14-04

⇱ How To Set Up DNSSEC on an NSD Nameserver on Ubuntu 14.04 | DigitalOcean

How To Set Up DNSSEC on an NSD Nameserver on Ubuntu 14.04

Published on September 25, 2014
πŸ‘ How To Set Up DNSSEC on an NSD Nameserver on Ubuntu 14.04

About DNSSEC

DNS Security Extensions (DNSSEC) is a technology designed to protect applications and DNS resolvers from using forged or manipulated DNS data.

The problem: It is possible for an attacker to tamper with a DNS response or poison the DNS cache and take users to a malicious site with the legitimate domain name in their address bar.

The solution: DNSSEC configured authoritative DNS servers prevent this kind of attack by digitally signing each resource record with a private key. The DNS resolver verifies the integrity of a zone record using the public key and the digital signature.

About NSD

Name Server Daemon (NSD) is an open source authoritative-only DNS server software developed by NLNet Labs. It uses BIND-style zone files for easy configuration.

An authoritative-only DNS server provides answers to queries for the zones that it is responsible for. In this article we will be setting up our own authoritative NSD nameservers for two domain names. We will configure NSD to provide DNSSEC signed replies for both domain names.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the author(s)

Independent Technical writer, WordPress developer and Linux administrator.

Current fan and former Editorial Manager at DigitalOcean. Hi! Expertise in areas including Ubuntu, Docker, Rails, and more.

Still looking for an answer?

Was this helpful?

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Hi,

Great article! One remark though: Have you thought about how to keep the signed zone fresh? RRSIG’s will expire and should be refreshed in time. In other words, a signed zone should be resigned every once in a while. Would be great if your article would mention that.

Cheers,

– Marco

πŸ‘ Creative Commons
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.

  • Deploy on DigitalOcean

    Click below to sign up for DigitalOcean's virtual machines, Databases, and AIML products.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow β€” whether you're running one virtual machine or ten thousand.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.

Β© 2026 DigitalOcean, LLC.Sitemap.
Dark mode is coming soon.