Editing a zone ==

  • <code>pdnsutil edit-zone DOMAIN</code>

  • Increment SOA’s serial number

  • <code>pdns_control notify DOMAIN</code>

Adding a domain ==

pdnsutil create-zone DOMAIN
pdnsutil set-kind DOMAIN master
pdnsutil secure-zone DOMAIN
pdnsutil set-nsec3 DOMAIN
pdnsutil rectify-zone DOMAIN
pdnsutil edit-zone DOMAIN

Add the following records (the NS records are mandatory, but CAA is optional but recommended):

DOMAIN 86400 IN NS ns1.nixnet.services
DOMAIN 86400 IN NS ns2.nixnet.services
DOMAIN 86400 IN NS ns3.nixnet.services
DOMAIN 86400 IN NS ns4.nixnet.services
DOMAIN 86400 IN NS ns5.nixnet.services
DOMAIN 86400 IN CAA 0 issue "letsencrypt.org"
(replace <code>ns{1..5}.nixnet.services</code> with your respective DNS server addresses)

If you want to have wildcard certificates, add the following DNS record:
<code>DOMAIN 86400 IN CAA 0 issuewild "letsencrypt.org"</code>

After adding records, increment SOA’s serial and run:
<code>pdns_control notify DOMAIN</code>

Then set NS records on your registrar and run <code>pdnsutil show-zone DOMAIN</code> to get the DNSSEC details.

DNSSEC settings ===

  • Key Tag: <code>CHANGEME</code>

  • Digest: <code>CHANGEME</code>

  • Digest Type: SHA-256 (2)

  • Algo: 13 (ECDSA curve P-256 with SHA-256)

(using [https:www.namesilo.com/ NameSilo]’s input labels, but should be similar on other registrars.)

Aftermath ===

To check everything went correctly, use the testing tool at https://dnstest2.ficora.fi/dnstest.php?lang=en

Remember to add your domain to [https:hstspreload.org/ HSTS preloading] as well after getting a webserver up and running.