Editing a zone ==
-
<code>pdnsutil edit-zone DOMAIN</code>
-
Increment SOA’s serial number
-
<code>pdns_control notify DOMAIN</code>
Adding a domain ==
<pre>
pdnsutil create-zone DOMAIN
pdnsutil set-kind DOMAIN master
pdnsutil secure-zone DOMAIN
pdnsutil set-nsec3 DOMAIN
pdnsutil rectify-zone DOMAIN
pdnsutil edit-zone DOMAIN
</pre>
Add the following records (the NS records are mandatory, but CAA is optional but recommended):
<pre>
DOMAIN 86400 IN NS ns1.nixnet.services
DOMAIN 86400 IN NS ns2.nixnet.services
DOMAIN 86400 IN NS ns3.nixnet.services
DOMAIN 86400 IN NS ns4.nixnet.services
DOMAIN 86400 IN NS ns5.nixnet.services
DOMAIN 86400 IN CAA 0 issue "letsencrypt.org"
</pre>
(replace <code>ns{1..5}.nixnet.services</code> with your respective DNS server addresses)
If you want to have wildcard certificates, add the following DNS record:
<code>DOMAIN 86400 IN CAA 0 issuewild "letsencrypt.org"</code>
After adding records, increment SOA’s serial and run:
<code>pdns_control notify DOMAIN</code>
Then set NS records on your registrar and run <code>pdnsutil show-zone DOMAIN</code> to get the DNSSEC details.
DNSSEC settings ===
-
Key Tag: <code>CHANGEME</code>
-
Digest: <code>CHANGEME</code>
-
Digest Type: SHA-256 (2)
-
Algo: 13 (ECDSA curve P-256 with SHA-256)
(using [https:www.namesilo.com/ NameSilo]’s input labels, but should be similar on other registrars.)
Aftermath ===
To check everything went correctly, use the testing tool at https://dnstest2.ficora.fi/dnstest.php?lang=en
Remember to add your domain to [https:hstspreload.org/ HSTS preloading] as well after getting a webserver up and running.