SANOG 41 DNS workshop
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage


While DNSSEC is a extremely complex topic, this lab tends to make use of PowerDNS online singning method with PowerDNS admin web UI. At this point we already have primary & secondary servers running with zone replication as well as (support for) DNSSEC enabled.

All left to make use of DNSSEC is to sign our zone and provide the DS records to the upper zone (

Step 1: Sign your zone

In PowerDNS admin panel, click on the “red open lock” next to the domain under DNSSEC section and select “Enable”

This should now show a closed lock to your domain. This means domain is now sigend.

Step 2: Upload DS records to upstream

Normally this step is done at registrar level for a full fledged domain. But since lab is based on sub-zones under the main zone -, you need to provide your DS records to lab instructor who will add these at the zone.

Click on green lock to view DS records:


You can ignore the first record and simply provider the 2nd and 3rd record. You can upload DS records from here. **Be careful in copy pasting to ensure complelete record has been selected before copying. There is a invisible horizontal scrolling on it.

Step 3: Verify DNSSEC working

Checkout Verisign Labs or DNSViz tool, enter your domain e.g and verify that there are no errors. Output should like this:

Verisign labs DNSSEC Check