The DNS service contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.
In PowerDNS, DNS and signatures and keys are (usually) treated as separate entities.
The domain & record storage is thus almost completely devoid of DNSSEC record types.
Instead, keying material is stored separately, allowing operators to focus on the already complicated task of keeping DNS data correct.
In practice, DNSSEC related material is often stored within the same database, but within separate tables.This feature as been tested, reviewed and consolidated in Artica 4.30 Service Pack 579
If a DNSSEC configuration is found for a domain, the PowerDNS daemon will provide key records, signatures and (hashed) denials of existence automatically.
¶ Enable your domains with DNSSEC
- To Enable DNSSEC with Artica, On the left menu, choose “PowerDNS system” and “Service Parameters”.
- Turn ON the option “Domain Name System Extensions (DNSSEC)” option
- Go to local domains section
- You should see a new column called DNSSEC.
- If the status is enabled, you are able to click on the enabled label
You should see the content of your DNSSEC signatures of your domain.
If you see one domain with “Error” as label
- Click on “Repair domains” button.
- Refresh the list by clicking on the Go button of the search field.
- The domain should be turned to “Enabled” status
¶ Validating Your DNSSEC configuration.
Do not use the nslookup command-line tool to test DNSSEC support for a zone.
The nslookup tool uses an internal DNS client that is not DNSSEC-aware.
Use the Resolve-DnsName PowerShell cmdlet.
The Resolve-DnsName cmdlet was introduced in Windows Server 2012 and Windows 8 and can be used to display DNS queries that include DNSSEC data.
Command line is Resolve-DnsName HOST-TO-QUERY -type A -server DNS-SERVER -dnssecok
In our example the articatech.paris zone is signed, an RRSIG resource record was included with the DNS response