pdnsutil and DNSSEC

pdnsutil (previously called pdnssec) is a powerful command that is the operator-friendly gateway into PowerDNS configuration. Behind the scenes, pdnsutil manipulates a PowerDNS backend database, which also means that for many databases, pdnsutil can be run remotely, and can configure key material on different servers.

For a list of available commands, see the manpage.

DNSSEC Defaults

Since version 4.0, when securing a zone using pdnsutil secure-zone, a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is used as CSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as the KSK and two ZSKs. As all keys are online in the database, it made no sense to have this split-key setup.

The default negative answer strategy is NSEC.


Not all registrars support algorithm 13.