How to Properly Disable DNSSEC on BIND9 Authoritative Name Servers: Key Removal and Zone Configuration


3 views

When removing DNSSEC support from a BIND9 authoritative nameserver, simply deleting key files and restarting isn't sufficient. The process requires both cryptographic key removal and zone file modifications to ensure proper DNS resolution continues functioning.

# 1. First, stop the BIND service
sudo systemctl stop named

# 2. Remove all DNSSEC key files from the key directory
sudo rm -f /var/lib/bind/pri/Kexample.com*.{private,key}

# 3. Clean up signed zone files
sudo rm -f /var/lib/bind/pri/example.com.signed

# 4. Edit your zone file to remove DNSSEC records
nano /etc/bind/zones/example.com.db

In your zone file, remove these DNSSEC-specific records:

  • DNSKEY records
  • RRSIG records
  • NSEC/NSEC3 records
  • DS record references

Update your named.conf or included configuration files:

zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.db";
    # Remove these DNSSEC options:
    # auto-dnssec maintain;
    # key-directory "/var/lib/bind/pri";
};

# Check zone file syntax
named-checkzone example.com /etc/bind/zones/example.com.db

# Verify configuration syntax
named-checkconf

# Start BIND and monitor logs
sudo systemctl start named
sudo journalctl -u named -f

Remember to:

  1. Remove DS records at your domain registrar
  2. Update TTL values for smoother transition
  3. Monitor DNS propagation using tools like dig
# Example verification command
dig +nocmd +nocomments +nostats example.com DNSKEY

If you encounter resolution problems after DNSSEC removal:

  • Clear resolver caches (both local and upstream)
  • Ensure all instances of signed zones are purged
  • Verify parent zone no longer references DS records

When removing DNSSEC from a domain hosted on BIND9, simply deleting key material isn't sufficient. The process requires coordinated changes to both your DNS zone configuration and the parent domain's DS records.

First, remove all DNSSEC-related records from your zone file. This includes:

example.com. IN DNSKEY 256 3 8 (...)
example.com. IN RRSIG DNSKEY (...)
; Remove all DNSSEC-related records including RRSIG, NSEC/NSEC3, and DNSKEY

While removing files from /var/lib/bind/pri is part of the process, you should also:

rm /var/lib/bind/pri/Kexample.com.*
rm /var/lib/bind/pri/dsset-example.com.

Modify your named.conf or included zone file to disable DNSSEC:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    // Remove any dnssec-related directives like:
    // auto-dnssec maintain;
    // key-directory "/var/lib/bind/pri";
};

This critical step is often missed. Contact your domain registrar or TLD operator to:

  • Remove the DS records from the parent zone
  • Verify removal with dig +short DS example.com

After implementation, verify with:

dig +dnssec example.com SOA
named-checkconf -z
rndc reload

Many administrators forget about:

  • Temporary cached DNSSEC records (wait for TTL expiration)
  • Multiple DS records at the registrar
  • Secondary nameservers that might still have DNSSEC enabled

If transitioning to another DNS provider:

  1. Remove DNSSEC before changing NS records
  2. Coordinate with both old and new providers
  3. Monitor with delv during transition