I’ve been running PowerDNS for a couple of months now including DNSSEC. Here is how I set it up and how to avoid the pitfalls I fell into.
This guide assumes you already have PowerDNS Setup. I’ve used an MySQL backend however this will work with any supported backend.
Securing the zone:
To begin issue the command:
pdnsutil secure-zone example.com
pdnsutil show-zone example.com
You will now see the DS records that you need to add to your domain registrars. Most big players like GoDaddy and Gandi let you add them through self service. NameCheap will do it by opening a support request. Below is an example of the expected output
That’s the hard bit done. Your site is now DNSSEC setup. We are not done yet, as RSIGS will expire and sometimes they are not fresh. PowerDNS talk about this at length here. This guide will use the INCREMENT-WEEKS option as its compatible with all setups.
Run the command:
pdnsutil set-meta example.com SOA-EDIT INCREMENT-WEEKS
The final setup is optional but to prevent zone walking you can turn on NSEC3
pdnsutil set-nsec3 example.com '1 0 1 ab'
pdnsutil rectify-zone example.com