5. Records, Keys, signatures, hashes for presigned zones

When PowerDNS serves pre-signed zones, it uses signature material present in the pre-signed zone. Presigning can be done with any DNSSEC signer, for example dnssec-signzone from ISC, ldns-signzone from NLNetLabs or OpenDNSSEC.

PowerDNS only performs DNSSEC processing on DNSSEC zones, which means that if a presigned zone is loaded, PowerDNS should be told about its DNSSEC details.

This can be achieved by using the 'pdnssec' tool, or by filling out the database directly. Via pdnssec, issue 'pdnssec set-presigned zone-name'. In addition, if the zone does not use NSEC, issue: 'pdnssec set-nsec3 zone-name nsec3-setting', where nsec3-setting should be lifted from the NSEC3PARAM record of the zone.

When a pre-signed zone is slaved from a master, PowerDNS will check for changes in the SOA serial number. Additionally, the RRSIG of the SOA record is monitored for changes, where any changes will lead to a retransfer of the zone.