The Master of Geeks

PowerDNS DNSSEC Setup and .nz

By Craig Whitmore, in , posted: 9-Jun-2011 10:53

16/06/2011 - Problems with Formatting xml on geekzone..
12/06/2011 - Removed TSIG stuff as it makes no real difference as TSIG authenticates transfers not encrypt them (my mistake). As known master/slave ip addresses its not needed.
12/06/2011 - Comment about new Patch for Slaves.

As the .nz domain space is going to be signed soon in the next 6 months I have decided to try and implement DNSSEC on a number of name servers.

All this is documented as I went along and found problems with the "not so good/lacking" documentation on the powerdnssec website and basically me guessing until it works.

This is similar on how I have my own personal domain setup so you can do nslookup/digs and whois on this domain and see what is happening.

As I've used PowerDNS ( for quite a while I was pretty familiar with it and they have written a DNSSEC version of it as well ( which will be all implemented into V3 of PowerDNS.

For testing I set up 2 DNS Servers.. One as master and one as slave using mysql as the backend on both servers. This is pretty standard setup of powerdns with some featured enabled to enable DNSSEC. I expect someone reading this to have used powerdns before and has some idea on getting it compiled and running.

Master pdns.conf


Slave: pdns.conf


and setting up the database on both servers in the schema

plus the additional schema to include for the powerdnssec stuff

Additionally you must increase the size of the content field in the domains field with

alter table records change content varchar(512); (on master and slave to be safe) This is not documented anywhere but if you don't do it.. you will have issues on your slave data being cut off as the size on the content is too small to fit all the data in.

Now we have the databases and powerdnssec working we have to add some data into the database for our zone in the master.

This will add a zone called "" with 2 name servers and with ip addresses pointing towards

insert into domains (name,type) values ('','MASTER');

select * from domains; # find the id of the domain we just added in
insert into records (domain_id,name,content,type,ttl,prio) values ("1",""," 1111 28800 7200 604800 86400",'SOA',86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","NS",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","NS",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","A",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","A",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","A",86400,NULL);

You should now be able to look up the domain on the with dig/nslookup

Now to add something to the slave DNS mysql server so it will replicate. This will allow a zone transfer oush from with in its NS records to be accepted and replicated to the

insert into supermasters (ip,nameserver,account) values ("","","");

Now lets update the serial number on

update records set content = " 1000 28800 7200 604800 86400" where id = "1";

Wait a little and it should replicate to and you should be able to to nslookup/dig of the domain on the secondary name server.

We have a working DNS server but no DNSSEC Stuff now.
So what we do on the master is:

pdnssec secure-zone set-nsec3 rectify-zone

increase the serial number as above (increase the 1000 number), allow it to replicate and then on the slave DNS Server
pdnssec set-presigned ## New PowerDNSSec Patch coming soon which needspdnssec set-nsec3 ##These two lines will not be needed on slave.
Increase the serial number again and allow it do do a transfer..
Now.. we have a working DNSSEC Nameserver.. lets test.

On Master..

pdnssec export-zone-dnskey 1 | grep DNSKEY > trusted-keys

dig +dnssec +sigchase +trusted-key=./trusted-keys -t A @
dig +dnssec +sigchase +trusted-key=./trusted-keys -t A @

The output should right down the end of both dig queries.
; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Any changes on the master now should replicate on to the slave automaticlly (make sure you increase the serial each time)

Sending to the .nz DNC.

We need the DS keys to send to the DNC so we do something like this..

pdnssec export-zone-dnskey 1 | grep "IN DS" IN DS 22621 8 1 af6e9e8cb218dfab299d53732c323adbb7377893 IN DS 22621 8 2 63ab915d16fe9b6c9af09ea6f6095af91a2ecd0f096c6ffd437504d04c7e7363

As I work at a registrar I will shpw you what needs to be sent in XML . Lets add some DS Keys from above in the correct format...

Need to show XML here...

Lets check what the whois now shows..


You should have some new entries added now from how it looked before..

domain_signed: yes
ds_rdata_01: 22621 8 1 af6e9e8cb218dfab299d53732c323adbb7377893
ds_rdata_02: 22621 8 2 63ab915d16fe9b6c9af09ea6f6095af91a2ecd0f096c6ffd437504d04c7e7363

Note: the NZSRS accepts the DS records but will not publish them into the .nz DNS until later this year

Rolling Keys. (this may be wrong but it seems to work fine).. Still waiting on more information

ZSK Roll over (note this is slightly wrong.. need to update)
pdnssec show-zone (find oldkey-id)
pdnssec add-zone-key zsk 1024
pdnssec deactivate-zone-key
pdnssec remove-zone-key

KSK Roll Over (note: this is slightly wrong.. need to update)
pdnssec show-zone (to find oldkey-id)
pdnssec add-zone-key ksk 2048
Send new DS's to upstream (but don't delete the old one)
Wait until the upstream has new DS's in their DNS.
Remove old DS's from upstream
pdnssec deactivate-zone-key
pdnssec remove-zone-key

Remember this is all very VERY simplified and I am probably missing lots. There are many other things you have to do and think about if you want to use this in production. You still have more to do like how to send the information to the .NZ Domain Name system which will be explained in the next few days..
Rolling Keys over.. size of keys.. security of data.. who has access to the data. importing existing keys.. turning off DNSSEC on a zone..
I'll update this over time but if you have any questions please let me know.. If someone wants to say .. you are doing this completely wrong.. please do..

See me @ Google+

Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage: