Easiest DNSSEC ever when running PowerDNS in BIND mode

Mar 4, 2012
Without further comment, except to note that this is really all there is to this. Signatures will autorotate, ‘pdnssec’ allows for complete key management. No cronjobs or further configuration.
 
# apt-get install bind9
The following NEW packages will be installed:
  bind9
..
 * Starting domain name service… bind9                     [OK]
 
# dig -x 127.0.0.1 +dnssec @127.0.0.1 +noall +answer
1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.
 
# wget http://powerdnssec.org/downloads/packages/pdns-static_3.1-pre.20120304.2462-1_amd64.deb
# dpkg -i pdns-static_3.1-pre.20120304.2462-1_amd64.deb 
Restarting PowerDNS authoritative nameserver: not running, starting
Starting PowerDNS authoritative nameserver: started
 
# cat > /etc/powerdns/pdns.conf
local-port=5300
launch=bind
bind-config=/etc/bind/named.conf
bind-dnssec-db=/var/db/bind-dnssec-db  
^D
 
# pdnssec create-bind-db /var/db/bind-dnssec-db 
# /etc/init.d/pdns reload
 
Reloading PowerDNS authoritative nameserver: requested reload
 

 

# pdnssec secure-zone 127.in-addr.arpa
Zone 127.in-addr.arpa secured
 
# dig -x 127.0.0.1 +dnssec @127.0.0.1 +noall +answer -p 5300
1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.
1.0.0.127.in-addr.arpa. 604800 IN RRSIG PTR 8 6 604800 20120315000000 20120301000000 44311 127.in-addr.arpa. EHjRegR…iN0 1iE=
 
 
# dig -t dnskey 127.in-addr.arpa @127.0.0.1 -p 5300  | grep ^127 | tee trust-anchor
127.in-addr.arpa. 604800 IN DNSKEY 257 3 8 AwEAAdT…M7S CbrksGuVtmc=
127.in-addr.arpa. 604800 IN DNSKEY 256 3 8 AwEAAax…A97L jkGHUdO3
127.in-addr.arpa. 604800 IN DNSKEY 256 3 8 AwEAAeNc0G…rZX rBZcGuWL
 
# drill -D  ptr 1.0.0.127.in-addr.arpa  @127.0.0.1 -p 5300 -k trust-anchor 
 
; 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.
; VALIDATED by id = 57268, owner = 127.in-addr.arpa.
 

Update: by popular demand:

# pdnssec show-zone 127.in-addr.arpa
Zone has NSEC semantics
Zone is not presigned
keys: 
ID = 1 (KSK), tag = 23402, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = 127.in-addr.arpa IN DNSKEY 257 3 8 AwEAAdTtgIBwyzXNibY3FkHAKsTEZLHIsXVCFM0x+PAqCc8du3js3pDnmIscZBaG8kjaHmcOWwPMFZuisJW2gMKhTr1Dg7IEWpAD8SB+6qzcCmX2YTmQ5nbMZ9Bh8j7q3atcGVurxKJnnEblCzjZghR2vuTaebpCgxArTBeEgb3k8HeIydbiIdjUgcWw8zkBP8/10oy0BOyiWWEtNM0bjl3gtTbpMGKqrByMILHtDMzHFqsJ3L/84kiXrI/896Nv/p9Eo3+OKYTSsjQYEH2Pn3fuflHV7CwtS3wuBt9JzzO82863yjY0TK2XwCSrL8qQDpPSe398dOlpmM7SCbrksGuVtmc=
DS = 127.in-addr.arpa IN DS 23402 8 1 47d3b1aca6f1993422253c74a2768b6e01090136
DS = 127.in-addr.arpa IN DS 23402 8 2 d13f1ea3e1895c49982c6dfbbe3344e022d72027ca63cf5aebc65b1ab909936a
DS = 127.in-addr.arpa IN DS 23402 8 3 9f27adaac6930a0d4cfac56f192d518937e6007bd104d52452c861e843d4faae


ID = 2 (ZSK), tag = 57268, algo = 8, bits = 1024 Active: 1
ID = 3 (ZSK), tag = 61326, algo = 8, bits = 1024 Active: 0

About the author

Bert Hubert

Bert Hubert

Principal, PowerDNS

Related Articles

PowerDNS Authoritative: the new old way to manage domains

This is the third post in a series that highlights interesting new features of the PowerDNS 4.x.x and dnsdist 1.x.x...

Bert Hubert 02/3/16

FALCON-512 in PowerDNS

We are proud to introduce the first guest post on our blog! A team of researchers (listed below) has chosen PowerDNS as the...

Peter van Dijk 04/5/22

PowerDNS Authoritative Server 3.0 has been released!

Available from: * http://downloads.powerdns.com/releases/pdns-3.0.tar.gz *...

Bert Hubert 07/6/11

Contributing PowerDNS tests: unit tests

Each and every PowerDNS change is tested by our Jenkins continuous integration setup, as hosted on...

Bert Hubert 05/3/13