less than 1 minute read

I’ve been running PowerDNS for a couple of months now including DNSSEC. Here is how I set it up and how to avoid the pitfalls I fell into.

This guide assumes you already have PowerDNS Setup. I’ve used an MySQL backend however this will work with any supported backend.

Securing the zone:

To begin issue the command:

pdnsutil secure-zone example.com


Now issue

pdnsutil show-zone example.com

You will now see the DS records that you need to add to your domain registrars. Most big players like GoDaddy and Gandi let you add them through self service. NameCheap will do it by opening a support request. Below is an example of the expected output


That’s the hard bit done. Your site is now DNSSEC setup. We are not done yet, as RSIGS will expire and sometimes they are not fresh. PowerDNS talk about this at length here. This guide will use the INCREMENT-WEEKS option as its compatible with all setups.

Run the command:

pdnsutil set-meta example.com SOA-EDIT INCREMENT-WEEKS

The final setup is optional but to prevent zone walking you can turn on NSEC3

pdnsutil set-nsec3 example.com '1 0 1 ab'

Finally run

pdnsutil rectify-zone example.com

Leave a comment