There is a lack of tutorial-style guides to set up DNSSEC on PowerDNS. It turns out the process is remarkably simple:
pdnsutil secure-zone example.com
pdnsutil rectify-zone example.com
pdnsutil show-zone example.com
pdns_control notify example.comsecure-zonegenerates the DNSSEC keys using secure defaults.rectify-zoneI saw was recommended to use after secure-zone, might not be necessary but no harm in running this.show-zoneto give you the keys to enter into your registrar control panel.notifybecause none of the previous commands cause an AXFR to your slave server. (DNSSEC 'just works' on PowerDNS slaves, which is in contrast to some documentation I saw that suggested you needed a separate database replication system.)
On the Porkbun end, you must fill in the following:
- Under dsData:
- Key tag: The number following
tag =in theshow-zoneresults. - DS Data Algorithm:
13: ECDSA/SHA-256 - Digest Type:
2: SHA-256 - Digest: The contiguous 64 character value before
; ( SHA256 digest )in theshow-zoneresults
- Key tag: The number following
Leave everything else, including Max Sig Life blank.
Leave a Reply