As the .nz domain space is going to be signed soon in the next 6 months I have decided to try and implement DNSSEC on a number of name servers.

All this is documented as I went along and found problems with the "not so good/lacking" documentation on the powerdnssec website and basically me guessing until it works.

This is similar on how I have my own personal domain setup so you can do nslookup/digs and whois on this domain and see what is happening.

As I've used PowerDNS ( for quite a while I was pretty familiar with it and they have written a DNSSEC version of it as well ( which will be all implemented into V3 of PowerDNS.

For testing I set up 2 DNS Servers.. One as master and one as slave using mysql as the backend on both servers. This is pretty standard setup of powerdns with some featured enabled to enable DNSSEC. I expect someone reading this to have used powerdns before and has some idea on getting it compiled and running.

Master pdns.conf

Slave: pdns.conf

and setting up the database on both servers in the schema :

plus the additional schema to include for the powerdnssec stuff

Additionally you must increase the size of the content field in the domains field with:

alter table records change content varchar(512); (on master and slave to be safe) This is not documented anywhere but if you don't do it.. you will have issues on your slave data being cut off as the size on the content is too small to fit all the data in.

Now we have the databases and powerdnssec working we have to add some data into the database for our zone in the master.

This will add a zone called "" with 2 name servers and with ip addresses with pointing towards

insert into domains (name,type) values ('','MASTER');
select * from domains; # find the id of the domain we just added in
insert into records (domain_id,name,content,type,ttl,prio) values ("1",""," 1111 28800 7200 604800 86400",'SOA',86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","NS",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","NS",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","A",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","A",86400,NULL);
insert into records (domain_id,name,content,type,ttl,prio) values ("1","","","A",86400,NULL);

You should now be able to look up the domain on the with dig/nslookup

Now to add something to the slave DNS mysql server so it will replicate. This will allow a zone transfer oush from with in its NS records to be accepted and replicated to the

insert into supermasters (ip,nameserver,account) values ("","","");

Now lets update the serial number on

update records set content = " 1000 28800 7200 604800 86400" where id = "1";
Wait a little and it should replicate to and you should be able to to nslookup/dig of the domain on the secondary name server.

We have a working DNS server but no DNSSEC Stuff now.
So what we do on the master is:

pdnssec secure-zone
pdnssec set-nsec3
pdnssec rectify-zone

increase the serial number as above (increase the 1000 number), allow it to replicate and then on the slave DNS Server

pdnssec set-presigned ## New PowerDNSSec Patch coming soon which needs
pdnssec set-nsec3      ##These two lines will not be needed on slave.

Increase the serial number again and allow it do do a transfer..

Now.. we have a working DNSSEC Nameserver.. lets test.

On Master..

pdnssec export-zone-dnskey 1 | grep DNSKEY > trusted-keys
dig +dnssec +sigchase +trusted-key=./trusted-keys -t A @
dig +dnssec +sigchase +trusted-key=./trusted-keys -t A @

The output should right down the end of both dig queries.

; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Any changes on the master now should replicate on to the slave automaticlly (make sure you increase the serial each time)

Sending to the .nz DNC.

We need the DS keys to send to the DNC so we do something like this..

pdnssec export-zone-dnskey 1 | grep "IN DS" IN DS 22621 8 1 af6e9e8cb218dfab299d53732c323adbb7377893 IN DS 22621 8 2 63ab915d16fe9b6c9af09ea6f6095af91a2ecd0f096c6ffd437504d04c7e7363

As I work at a registrar I will shpw you what needs to be sent in XML . Lets add some DS Keys from above in the correct format...

<NZSRSRequest VerMajor="1" VerMinor="0" RegistrarId="600">
  <DomainUpdate ActionId="" RegistrantRef="" FullResult="1">
    <Server FQDN="" IP4Addr="" IP6Addr=""/>
    <Server FQDN="" IP4Addr="" IP6Addr=""/>
    <DS KeyTag="22621" Algorithm="8" DigestType="1">
    <DS KeyTag="22621" Algorithm="8" DigestType="2">
  <AuditText>Add some DS records with Name servers</AuditText>

Lets check what the whois now shows..


You should have some new entries added now from how it looked before..

domain_signed: yes
ds_rdata_01: 22621 8 1 af6e9e8cb218dfab299d53732c323adbb7377893
ds_rdata_02: 22621 8 2 63ab915d16fe9b6c9af09ea6f6095af91a2ecd0f096c6ffd437504d04c7e7363

Note: the NZSRS accepts the DS records but will not publish them into the .nz DNS until later this year

Rolling Keys. (this may be wrong but it seems to work fine).. Still waiting on more information

ZSK Roll over
pdnssec show-zone (find oldkey-id)
pdnssec add-zone-key zsk 1024
pdnssec deactivate-zone-key  
pdnssec remove-zone-key 

KSK Roll Over

pdnssec show-zone (to find oldkey-id)
pdnssec add-zone-key ksk 2048

Send new DS's to upstream  (but don't delete the old one) 
Wait until the upstream has new DS's in their DNS.
Remove old DS's from upstream 

pdnssec deactivate-zone-key 
pdnssec remove-zone-key 

Remember this is all very VERY simplified and I am probably missing lots. There are many other things you have to do and think about if you want to use this in production.

I'll update this over time but if you have any questions please let me know.. If someone wants to say .. you are doing this completely wrong.. please do..