PDNS Manager

DNSSEC

DNSSEC protects your zone's responses against tampering – resolvers can cryptographically verify that an answer really comes from you and wasn't altered in transit. PDNS Manager lets you enable or disable DNSSEC per zone without ever running pdnsutil.

How DNSSEC works (in 3 sentences)

You have two key pairs: a ZSK (zone signing key) signs each RRset, a KSK (key signing key) signs the ZSK. The hash of the KSK – the DS record – goes to your domain registrar so the global DNS hierarchy knows which KSK is real. Resolvers walk the chain from the root zone down to yours and only treat answers as signed once they reach your zone.

Enable DNSSEC

  1. Open zone detail.
  2. DNSSEC panel on the right, switch Enable.
  3. PowerDNS auto-creates ZSK + KSK. Default ECDSA P-256 (algorithm 13), still the recommended default in 2026.
  4. After a few seconds the panel displays the generated DS records in both common digest types (algorithm 1 = SHA-1, 2 = SHA-256). Only algorithm 2 matters.
example.com.  DS  12345  13  2  1A2B3C4D5E6F7890ABCDEF1234567890...

Breakdown: 12345 = key tag, 13 = ECDSA P-256, 2 = SHA-256 digest, then the actual fingerprint.

Submit DS records to the registrar

Where to put them depends on the registrar. Typical names:

  • DNSSEC / DS records
  • Domain Security Extensions
  • Validation / Secure DNS

You'll need four fields: key tag, algorithm, digest type, digest. Some registrars want the DNSKEY form instead (flags / algorithm / public key) – the panel shows that too.

Verification

# Read DS records from the parent zone
dig +dnssec +short example.com DS

# See resolver-side validation
dig +dnssec +adflag example.com SOA

# Online tool for the full chain analysis
# https://dnsviz.net/d/example.com/dnssec/

The +adflag output should have the ad flag ("Authentic Data"). If it's SERVFAIL, usually a DS or NSEC3 setting is wrong.

Disabling DNSSEC

Correct order:

  1. Delete DS records at the registrar.
  2. Wait at least one TTL (typically 24 h) for caches to forget.
  3. Disable DNSSEC in the panel.

Key rotation

The DNSSEC panel lists active keys with tag, algorithm, status. With one click each you can:

  • Activate / deactivate keys (typical rollover: enable a new key in parallel, only remove the old one days later).
  • Delete keys.

Behind the scenes that's /api/v1/dnssec/<server>/<zone>/keys/.... Each action is logged as action=KEY_ACTIVATE / KEY_DEACTIVATE / KEY_DELETE.

NSEC vs NSEC3

PowerDNS uses NSEC by default. If you need NSEC3 (e.g. to make zone walking harder), switch it in the per-zone advanced settings – the corresponding NSEC3PARAM records get auto-created.

Common errors

SymptomCause
Resolver returns SERVFAIL.Registrar's DS points to a key PowerDNS no longer has. Fix: regenerate DS from the panel's DNSKEY view, update the registrar.
DNSViz reports "No DS records published".DS at the registrar missing or not yet propagated.
RRSIG expired.PowerDNS auto-resigns on writes. If the zone has been untouched for a long time, change one record minimally to trigger re-signing.
No image has been added yet. Drop it into src/assets/screenshots/<filename> and register it in the gallery list.