There is a lack of tutorial-style guides to set up DNSSEC on PowerDNS. It turns out the process is remarkably simple:
pdnsutil secure-zone example.com
pdnsutil rectify-zone example.com
pdnsutil show-zone example.com
pdns_control notify example.com
secure-zone
generates the DNSSEC keys using secure defaults.rectify-zone
I saw was recommended to use after secure-zone, might not be necessary but no harm in running this.show-zone
to give you the keys to enter into your registrar control panel.notify
because none of the previous commands cause an AXFR to your slave server. (DNSSEC 'just works' on PowerDNS slaves, which is in contrast to some documentation I saw that suggested you needed a separate database replication system.)
On the Porkbun end, you must fill in the following:
- Under dsData:
- Key tag: The number following
tag =
in theshow-zone
results. - DS Data Algorithm:
13: ECDSA/SHA-256
- Digest Type:
2: SHA-256
- Digest: The contiguous 64 character value before
; ( SHA256 digest )
in theshow-zone
results
- Key tag: The number following
Leave everything else, including Max Sig Life blank.
Comments
Thank you!This is the only helpful tutorial.