Easiest DNSSEC ever when running PowerDNS in BIND mode

Without further comment, except to note that this is really all there is to this. Signatures will autorotate, ‘pdnssec’ allows for complete key management. No cronjobs or further configuration.
# apt-get install bind9
The following NEW packages will be installed:
  bind9
..
 * Starting domain name service… bind9                     [OK]

# dig -x 127.0.0.1 +dnssec @127.0.0.1 +noall +answer
1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.

# dpkg -i pdns-static_3.1-pre.20120304.2462-1_amd64.deb 
Restarting PowerDNS authoritative nameserver: not running, starting
Starting PowerDNS authoritative nameserver: started

# cat > /etc/powerdns/pdns.conf
local-port=5300
launch=bind
bind-config=/etc/bind/named.conf
bind-dnssec-db=/var/db/bind-dnssec-db  
^D

# pdnssec create-bind-db /var/db/bind-dnssec-db 
# /etc/init.d/pdns reload
Reloading PowerDNS authoritative nameserver: requested reload

# pdnssec secure-zone 127.in-addr.arpa
Zone 127.in-addr.arpa secured

# dig -x 127.0.0.1 +dnssec @127.0.0.1 +noall +answer -p 5300
1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.
1.0.0.127.in-addr.arpa. 604800 IN RRSIG PTR 8 6 604800 20120315000000 20120301000000 44311 127.in-addr.arpa. EHjRegR…iN0 1iE=

# dig -t dnskey 127.in-addr.arpa @127.0.0.1 -p 5300  | grep ^127 | tee trust-anchor
127.in-addr.arpa. 604800 IN DNSKEY 257 3 8 AwEAAdT…M7S CbrksGuVtmc=
127.in-addr.arpa. 604800 IN DNSKEY 256 3 8 AwEAAax…A97L jkGHUdO3
127.in-addr.arpa. 604800 IN DNSKEY 256 3 8 AwEAAeNc0G…rZX rBZcGuWL

# drill -D  ptr 1.0.0.127.in-addr.arpa  @127.0.0.1 -p 5300 -k trust-anchor 
; 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.
; VALIDATED by id = 57268, owner = 127.in-addr.arpa.

Update: by popular demand:

# pdnssec show-zone 127.in-addr.arpa
Zone has NSEC semantics
Zone is not presigned
keys: 
ID = 1 (KSK), tag = 23402, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = 127.in-addr.arpa IN DNSKEY 257 3 8 AwEAAdTtgIBwyzXNibY3FkHAKsTEZLHIsXVCFM0x+PAqCc8du3js3pDnmIscZBaG8kjaHmcOWwPMFZuisJW2gMKhTr1Dg7IEWpAD8SB+6qzcCmX2YTmQ5nbMZ9Bh8j7q3atcGVurxKJnnEblCzjZghR2vuTaebpCgxArTBeEgb3k8HeIydbiIdjUgcWw8zkBP8/10oy0BOyiWWEtNM0bjl3gtTbpMGKqrByMILHtDMzHFqsJ3L/84kiXrI/896Nv/p9Eo3+OKYTSsjQYEH2Pn3fuflHV7CwtS3wuBt9JzzO82863yjY0TK2XwCSrL8qQDpPSe398dOlpmM7SCbrksGuVtmc=
DS = 127.in-addr.arpa IN DS 23402 8 1 47d3b1aca6f1993422253c74a2768b6e01090136
DS = 127.in-addr.arpa IN DS 23402 8 2 d13f1ea3e1895c49982c6dfbbe3344e022d72027ca63cf5aebc65b1ab909936a
DS = 127.in-addr.arpa IN DS 23402 8 3 9f27adaac6930a0d4cfac56f192d518937e6007bd104d52452c861e843d4faae


ID = 2 (ZSK), tag = 57268, algo = 8, bits = 1024 Active: 1
ID = 3 (ZSK), tag = 61326, algo = 8, bits = 1024 Active: 0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s