Example: Configuring Secure Domains and Trusted Keys for DNSSEC
This example shows how to configure secure domains and trusted keys for DNSSEC.
Set the name server IP address so the DNS resolver forwards all DNS queries to DNSSEC instead of DNS. See Example: Configuring DNSSEC for more information.
You can configure secure domains and assign trusted keys to the domains. Both signed and unsigned responses can be validated when DNSSEC is enabled.
When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned responses to that domain are ignored and the server returns a SERVFAIL error code to the client for the unsigned responses. If the domain is not configured as a secure domain, unsigned responses will be accepted.
When the server receives a signed response, it checks if the DNSKEY in the response matches any of the trusted keys that are configured. If it finds a match, the server accepts the signed response.
You can also attach a DNS root zone as a trusted anchor to a secure domain to validate the signed responses. When the server receives a signed response, it queries the DNS root zone for a DS record. When it receives the DS record, it checks if the DNSKEY in the DS record matches the DNSKEY in the signed response. If it finds a match, the server accepts the signed response.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
To configure secure domains and trusted keys for DNSSEC:
- Configure domain1.net and domain2.net as secure domains.user@host# set system services dns dnssec secure-domains domain1.netuser@host# set system services dns dnssec secure-domains domain2.net
- Configure trusted keys to domain1.net.user@host# set system services dns dnssec trusted-keys key "domain1.net.ABC123ABCh"
- Attach a root zone div.isc.org as a trusted anchor to
a secure domain.user@host# set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org
From configuration mode, confirm your configuration by entering the show system services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.