From NixNet
< PowerDNS
Revision as of 09:47, 12 August 2021 by Amolith (talk | contribs) (create webpage)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Editing a zone

  • pdnsutil edit-zone DOMAIN
  • Increment SOA’s serial number
  • pdns_control notify DOMAIN

Adding a domain

pdnsutil create-zone DOMAIN
pdnsutil set-kind DOMAIN master
pdnsutil secure-zone DOMAIN
pdnsutil set-nsec3 DOMAIN
pdnsutil rectify-zone DOMAIN
pdnsutil edit-zone DOMAIN

Add the following records (the NS records are mandatory, but CAA is optional but recommended):

DOMAIN    86400    IN    NS    ns1.nixnet.services
DOMAIN    86400    IN    NS    ns2.nixnet.services
DOMAIN    86400    IN    NS    ns3.nixnet.services
DOMAIN    86400    IN    NS    ns4.nixnet.services
DOMAIN    86400    IN    NS    ns5.nixnet.services
DOMAIN    86400    IN    CAA    0 issue "letsencrypt.org"

(replace ns{1..5}.nixnet.services with your respective DNS server addresses)

If you want to have wildcard certificates, add the following DNS record: DOMAIN 86400 IN CAA 0 issuewild "letsencrypt.org"

After adding records, increment SOA’s serial and run: pdns_control notify DOMAIN

Then set NS records on your registrar and run pdnsutil show-zone DOMAIN to get the DNSSEC details.

DNSSEC settings

  • Key Tag: CHANGEME
  • Digest: CHANGEME
  • Digest Type: SHA-256 (2)
  • Algo: 13 (ECDSA curve P-256 with SHA-256)

(using NameSilo’s input labels, but should be similar on other registrars.)


To check everything went correctly, use the testing tool at https://dnstest2.ficora.fi/dnstest.php?lang=en

Remember to add your domain to HSTS preloading as well after getting a webserver up and running.