Securing DNS traffic with DNSSEC in Red Hat 9 ?

Latest response

Hi to the Red Hat community,

I would like to find information please about Red Hat 9 that would, essentially, cover the same topics as the one covered here in the Red Hat 7 security guide.

So far, I could check :
- this post on the Red Hat Sysadmin blog about Unbound ;
- different Red Hat 9 guides such as here ;
- the Red Hat 8 and 9 Release notes in search for deprecated packages to find what about 'dnssec-trigger', as it is available in Fedora but can't find it in Red Hat 9.

Many thanks in advance,



Hi Alexandre,

The RHEL 7 docs are feature-based comprehensive guides. In the time of the RHEL 8 Alpha release, we started from scratch with the completely different approach. We identify real-world user stories (topics), we prioritize them based on the feedback from customers, and we are covering them. As such, the RHEL 8 (and 9) docs cannot be complete, and it cannot be our goal. Until your post, we haven't received any feedback that would include some demand for DNSSEC topics.

However, I made some research:

  • The dnssec-trigger package has been removed from RHEL 9 as documented in Considerations of adopting RHEL 9 [1]
  • RHEL 9 provides the bind-dnssec-utils [2] and opendnssec [3] packages
  • The Bind 9 project documentation [4] and the OpenDNSSEC documentation [5] provides guidance for configuring DNSSEC

Hope that the aforementioned helps at least a bit.

Kind regards, --Mirek






Hi Mirek,

Many thanks for this detailed response, that's fantastic to receive responses from this quality but it looks to be the Red Hat way to do things. :)

As a humble Red Hat user, I find that the Red Hat 9 documentation is really really good, it's just that I couldn't figure out how to find this topic, but with your response, I've got all the elements I was looking for. Many thanks for your help!


Hi Alexandre,

I'm glad that my findings helped. If we see that more customers are struggling with deployment and configuring DNSSEC on RHEL, we will cover this topic in the RHEL 8 and 9 product documentation (the Securing networks document most probably) for sure.

Have a nice weekend, --Mirek

Hi Mirek,

Just a quick additional question please : do you know if there a change with the drill command or package?

Running a standard RHEL 8.7 instance, I have installed Unbound, ldns is there too.

However, drill can't be found as a command, and it seems it can't be found to be installed either.

When I first used drill, it was on RHEL 8.6 and I remember that it got installed asap and worked well. Having checked the 8.7 release notes [1], seems there is no change and I also checked on Git [2] , drill is still included in ldns.

Any thought on this ?




drill command has moved with more useful DNS utilities from main ldns package into ldns-utils package before RHEL 8 was forked from Fedora. That would be a reason why it is not mentioned explicitly in RHEL documentation. It was part of ldns package in RHEL 7, but it is separate since beginning of RHEL8. ldns package contains just ldns library build, which is required only by opendnssec package.

There was a change in RHEL 9.1, which moved ldns-utils and some ldns bindings for other languages into Content Ready Builder (CRB) repository. After CRB repository is enabled, they should be available. Unfortunately it seems similar change does not exist for RHEL 8. I doubt however it was ever shipped in official RHEL 8 repository. We have internal builds of it. but they are not accessible to our customers. If you want to use anything from ldns-utils, please request moving them to some public repository by a customer request. It would take some time, it is too late for RHEL 8.8.

Hi Petr,

Many thanks for your reply and for the context : indeed, I couldn't figure out how to find this package from standard Red Hat repos - having also tried to find what about ldns-utils.

That's not a big deal at all, I suppose that if customers don't ask for it at the moment, they must a way to manage that. Actually, now that I know that it's not there, as a (free) dev/test licence, I don't think I should submit any request about it :) and I am going to use the package downloaded directly from NLnetLabs.

By the way, thanks again to the response of Mirek : it made me have a look into the BIND documentation - which I initially didn't think to approach as it was deemed too "big"for my needs - and that's a great resource about DNSSEC.

Many thanks and best regards,


Most of actions could be solved by dig or delv commands from bind-utils. Those are excellent tools and are similar to ldns drill utility. Part on unbound package is also unbound-host command, which might help too.

You can rebuild your own ldns with all subpackages yourself. It may work a bit better.

$ dnf install rpm-build
$ dnf download --source ldns
$ dnf builddep --enablerepo='*CRB' ldns*.src.rpm
$ rpmbuild --rebuild ldns*.src.rpm

This should create you a set of packages from our current sources. One of them would be also ldns-utils.

Hi Petr, many thanks for responding back on this issue!

So, firstly, just a quick errata : I have double-checked, and drill got actually installed on Fedora 37, that I used at the same time and in parallel of RHEL 8.6. When it got installed, it included both ldns and ldns-utils packages.

Having said that, I like very much what you've just suggested : it work well (just had to replace CRB by the full repo name) and the package and all ldns dependencies got downloaded and installed : Many thanks :)