How to list domains with DNSSEC

This tutorial applies to a cPanel server with PowerDNS installed.

To list the domains on your server that are configured with DNSSEC (Domain Name System Security Extensions) you need to login as root and execute the following command:

pdnssec list-secure-zones

The result will be something like:

root@web [~]# pdnssec list-secure-zones
  Mar 08 15:52:08 [bindbackend] Done parsing domains, 0 rejected, 12 new, 0 removed
  yourdomain1.com
  yourdomain2.com
  All secure zonecount:1
root@web [~]#

yourdomain1.com, yourdomain2.com etc are the domains that use DNSSEC.
You can go ahead and list the key details for a domain with DNSSEC. Just use the command:

pdnssec show-zone yourdomain1.com

For example, for our domain demo.plothost.com, the info is:

root@web [~]# pdnssec show-zone demo.plothost.com
Mar 08 13:04:11 [bindbackend] Done parsing domains, 0 rejected, 463 new, 0 removed
Zone is not presigned
Zone has NARROW hashed NSEC3 semantics, configuration: 1 0 7 78326f1db1405ff2
keys:
ID = 3 (KSK), tag = 57434, algo = 8, bits = 2048        Active: 1 ( RSASHA256 )
KSK DNSKEY = demo.plothost.com IN DNSKEY 257 3 8 AwEAAaZVe21ROtKfWtzQrB2tPd4kP0+cautYOsgbWtPkHy6l0WBDcXQFRennP/uJIDsbfdDkjP1l4SrdpOM5NI01CtE6QTvHDA32L4Z8L9N5qmQ+YkAe+Vk09tNQVKYMfiN/sMA4xQIHQ8KAvky4jMn+fr2k6WvE/QyQPtjYAEoXt1uOiGCSFE7njCx9maikt/WT5YrZEQ5ncJjzzPU3IGdznlJc2sDV+NXbDHVqjH0Bd0GlIp7l/2Io5sAcnlusvi2u5Dawa1aLidfNyLIlmEmzqy98djDFD8vu627E9zmZ74M0YCBbfD6oRpmmXj1SRkc+GhIFN2HvqnkJyf/k1gvG2ms= ; ( RSASHA256 )
DS = demo.plothost.com IN DS 57434 8 1 49708717a42d565c741fe3d6ece70d648c8a6d7b ; ( SHA1 digest )
DS = demo.plothost.com IN DS 57434 8 2 c255d52f2386a15b8e3181a6596b47d0b96911bf044c55e6df6c3387294b3150 ; ( SHA256 digest )
DS = demo.plothost.com IN DS 57434 8 4 716c0d1c8b33bd01e8beb218924abf62e7ac531c056e073ad2dec2720bc4e57a693f18af75a410484ca1438208c0390e ; ( SHA-384 digest )

ID = 4 (ZSK), tag = 1318, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
root@web [~]#

Leave a Reply