I’ve been working at a DNSSEC reference card or cheat sheet for some time now, and I’ve found it particularly difficult to determine what should be on it and what shouldn’t. I decided to start off with configuration snippets for the more popular name servers (BIND, NSD, Unbound, and PowerDNS) and work from there.

The reference card contains information on signing and serving zones authoritatively, TSIG signatures and SIG(0)-protected updates to a BIND name server, as well as some configuration hints for recursive servers as well as snippets for PowerDNS. Please be my guest look at the reference card, and please do also come back here and tell me what you think of it. I’ll gladly consider additions and changes to the card. Within reason. :-)


  • 2011-06-23 Suggestions by @marcodavids and @fanf incorporated.
  • 2011-12-16 New SOA-EDIT function in PowerDNS
  • 2012-06-30 Typo in PowerDNS data removed and emphasis on clocks, thanks to Job Snijders.

DNS, powerdns, dnssec, BIND, NSD, and Unbound :: 24 Apr 2011 :: e-mail