Dark's Code Dump

Possibly useful

PowerDNS and Porkbun DNSSEC guide

There is a lack of tutorial-style guides to set up DNSSEC on PowerDNS. It turns out the process is remarkably simple:

pdnsutil secure-zone example.com
pdnsutil rectify-zone example.com
pdnsutil show-zone example.com
pdns_control notify example.com
  • secure-zone generates the DNSSEC keys using secure defaults.
  • rectify-zone I saw was recommended to use after secure-zone, might not be necessary but no harm in running this.
  • show-zone to give you the keys to enter into your registrar control panel.
  • notify because none of the previous commands cause an AXFR to your slave server. (DNSSEC 'just works' on PowerDNS slaves, which is in contrast to some documentation I saw that suggested you needed a separate database replication system.)

On the Porkbun end, you must fill in the following:

  • Under dsData:
    • Key tag: The number following tag = in the show-zone results.
    • DS Data Algorithm: 13: ECDSA/SHA-256
    • Digest Type: 2: SHA-256
    • Digest: The contiguous 64 character value before ; ( SHA256 digest ) in the show-zone results

Leave everything else, including Max Sig Life blank.


Daisy says:

Thank you!This is the only helpful tutorial.

Leave a Reply