DNSSEC: Nkosi Communications
This document is licensed under the Creative Commons Attribution 4.0 International License
Nkosi Communications uses the Cozadomain Registrar for co.za domain names and provides DNSSEC services to Business Clients (Products: A,AA,AAA)
Terms & Conditions: ZACR T&C, Our own T&C and additional T&C as specified and/or included, applies

Cozadomain requires only one file to enable DNSSEC on your co.za domain name and submit your data to the ZACR Registry

* The Complete KSK .key file for each DNSSEC enabled domain*

Here is a short and very basic guide on how to sign your own zone (and to generate the KSK file (as required by Cozadomain and potentially other co.za domain Registrars)

General DNSSEC Information (as it relates to the ZACR, Cozadomain & co.za domains)

DNSSEC uses public key cryptography, one signs your DNS zones with a private key and all clients will verify signatures against your public key.

DNSSEC has some additional record types (In your signed zone file):

The DNSKEY record type: The public key for your zone (can be multiples, as you are able to sign your zone with more than one key)
The RRSIG record type: Each entry in your zone (except RRSIG) is signed and stored in an RRSIG record (in the zone)
The DS record type: DS record is a hash of the public key for your zone and is stored in the parent to establish a chain of trust

How to sign your own zone file:


  • Installed Bind9 & DNSSEC
  • Replace “yours.co.za” With your own domain name
  • The below example generates Algorithm number 8

DNSSEC Sign your own dns zone file:

Step One:

Generate a key Signing Key (KSK)

Command: dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE yours.co.za

Result: 2x new files, one ending in .key and one ending in .private)

(In this example the KSK are renamed to Kyours.co.za.+008+09544.ksk.key AND Kyours.co.za.+008+09544.ksk.private )

Step Two:

Generate a Zone Signing Key (ZSK)

Command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE yours.co.za
Result: 2x new files, one ending in .key and one ending in .private)


TIP/HINT: Maybe rename the KSK files (.key & .private – you can also view the .key file itself to see which is the KSK and which is the ZSK)
If your KSK file is called yours.co.za.+008+09544.key and yours.co.za.+008+09544.private

Step Three:

Assumption: There are four new files, after Step One & Step 2, starting with Kyours.co.za*

Add two lines to the bottom of your un-signed zone file in this example the file is called: “yours.co.za.zonefilename”

$include /etc/named/Kyours.co.za.+008+09544.ksk.key
$include /etc/named/Kyours.co.za.+008+09217.key


Step Four:

Sign your zone file (Generate the RRSIG records for each data in your zone file using the ZSK key)

Command: dnssec-signzone -e20180906120101 -g -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -k /path/to/var/chroot/bindkeys/Kyours.co.za.+008+09544.ksk.key -o yours.co.za -t /path/to/var/chroot/bindzones/yours.co.za.zonefilename

If this worked for you, you will now have two new files: yours.co.za.zonefilename.signed
You will also have a file called dsset-yours.co.za. (Which contains DS hashes of your keys) –

Step Five: Edit the named.conf to reflect the new zone file name: yours.co.za.zonefilename.signed


TIP/HINT: If you receive errors, check your path, file permissions, file ownership

TIP/HINT: The -e20180906120101 above is the expiry, 6 September 2018 at one minute and one second past 12

TIP/HINT: The $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) is salt, you need not use salt

TIP/HINT: Full description of the dnssec-signzone options, are here

TIP/HINT: Ensure to rotate keys regulary. Please see your DNS support section, in your Secure Business Hosting package.

Step Six:

Submit your KSK .key file to Cozadomain registrar

Step Seven:

display the values of the file on your DNS Server: dsset-yours.co.za.

and compare the values to the result of this:

Command: dig @ns1.coza.net.za DS yours.co.za

If the values match: Congratulations! Your DNSSEC is functional


* The KSK file submitted to Cozadomain has to use one of the following Algorithms (reproduced with credit to IANA: http://www.iana.org) :

Number Description Mnemonic Zone
0 Delete DS DELETE N N [RFC4034][RFC4398][RFC8078]
1 RSA/MD5 (deprecated, see 5) RSAMD5 N Y [RFC3110][RFC4034]
2 Diffie-Hellman DH N Y [RFC2539][proposed standard]
3 DSA/SHA1 DSA Y Y [RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186,
Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1,
Secure Hash Standard, 17 April 1995.
(Supersedes FIPS PUB 180 dated 11 May 1993.)]
4 Reserved [RFC6725]
5 RSA/SHA-1 RSASHA1 Y Y [RFC3110][RFC4034]
6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y [RFC5155][proposed standard]
7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y [RFC5155][proposed standard]
8 RSA/SHA-256 RSASHA256 Y * [RFC5702][proposed standard]
9 Reserved [RFC6725]
10 RSA/SHA-512 RSASHA512 Y * [RFC5702][proposed standard]
11 Reserved [RFC6725]
12 GOST R 34.10-2001 ECC-GOST Y * [RFC5933][standards track]
13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * [RFC6605][standards track]
14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384 Y * [RFC6605][standards track]
15 Ed25519 ED25519 Y * [RFC8080][standards track]
16 Ed448 ED448 Y * [RFC8080][standards track]
17-122 Unassigned
123-251 Reserved [RFC4034][RFC6014]
252 Reserved for Indirect Keys INDIRECT N N [RFC4034][proposed standard]
253 private algorithm PRIVATEDNS Y Y [RFC4034]
254 private algorithm OID PRIVATEOID Y Y [RFC4034]
255 Reserved [RFC4034][proposed standard]