NOTE: I'm using the database/MySQL backend in this example
NOTE: It is imperative that you publish the DNSKEY record in your zone before adding the DS record to your registrar! If a client sees a DS record without a DNSKEY entry, the domain will be considered BOGUS!
Configuring DNSSEC in PDNS is pretty simple - following these steps if you're running PDNSa without any type of front-end, such as PDNS-Admin.
pdnsutil secure-zone example.comEnsure DNSSEC processing is enabled on your PDNSa servers
gmysql-dnssec=yesShow the details of the zone you just secured.
pdnsutil show-zone example.com
This zone is owned by example
This is a Native zone
Metadata items:
API-RECTIFY 1
SOA-EDIT-API DEFAULT
Zone has NSEC semantics
keys:
ID = 5 (CSK), flags = 257, tag = 12345, algo = 13, bits = 256 Active Published ( ECDSAP256SHA256 )
CSK DNSKEY = example.com. IN DNSKEY 257 3 13 ********************************************************************************== ; ( ECDSAP256SHA256 )
DS = example.com. IN DS 12345 13 2 **************************************************************** ; ( SHA256 digest )
DS = example.com. IN DS 12345 13 4 ************************************************************************************************ ; ( SHA-384 digest )Add the DNSKEY record to your zone
example.com. IN DNSKEY 257 3 13 ********************************************************************************==Add one of the DS records to your registrar (different registries have different requirements)
example.com. IN DS 12345 13 2 ****************************************************************