5.1 Cryptographic algorithmsThe cryptographic algorithms based on SHA-2 (RSA/SHA-256 and RSA/SHA-512) are available in BIND from version 9.6.2. The ECDSA-based algorithms (ECDSA Curve P-256 with SHA-256 and ECDSA Curve P-384 with SHA-384) are available from version 9.9.2. Finally, the EdDSA-based algorithms (Ed25519 and Ed448) are available from version 9.10.7.RFC 8624 recommends using algorithm 13 (ECDSA Curve P-256 with SHA-256) alongside algorithm 8 (RSA/SHA-256), which was the standard for a long time but is now slowly being phased out in favour of the ECDSA-based algorithms.Algorithm 10 (RSA/SHA-512), a variant of number 8, has never gained popularity, and its use is now discouraged. Algorithm 14 (ECDSA Curve P-384 with SHA-384) is a stronger version of number 13, but isn't needed yet. However, it is likely that, in due course, algorithm 13 will be succeeded not by algorithm 14 but by an EdDSA-based algorithm (algorithm 15, Ed25519).
The location and naming structure used for the zone files is: The master zone files: edit those to change records, etc. /usr/local/var/named/example.net.zone The keys: /usr/local/var/named/keys/ Bind can automatically sign and will produce intermediate files in the same directory as the zone files. mkdir /usr/local/var/named/keysThen we need to once generate the key for each zone file on the master DNS server. That can be done with the following commands: dnssec-keygen -3 -a ECDSAP256SHA256 -K /usr/local/var/named/keys/ example.net dnssec-keygen -3 -a ECDSAP256SHA256 -f KSK -K /usr/local/var/named/keys/ example.netEnable DNSSEC in named.conf by adding the following configuration directives inside options{ }: bbedit /usr/local/etc/named.confin the main options add:key-directory "/usr/local/var/named/keys";in each of the to be signed signed zones add: dnssec-policy default; inline-signing yes;Restart bind to sign the zones and load them in master and slaves:
