PowerDNS is a very versatile DNS name server and it is in widespread use. For a long time the PowerDNS team refused to even consider implementing DNSSEC, although that is changing: after an initial announcement, there is currently a version that purports to support zone signing. Whether or not it works is beyond the scope of this.
If you have PowerDNS deployed and are interested in getting some or all of the zones contained therein signed, carry on reading.
I’m assuming you’ve configured PowerDNS to act as a master, and that you are using PowerDNS’ OpenDBX back-end (and if you aren’t you should ask yourself why you aren’t; the OpenDBX back-end is the most flexible and resilient of the PowerDNS database back-ends). Ideally, you have OpenDBX set up to use automatic serial numbering, which makes life very easy. (This does require MySQL triggers, so version 5.x is needed.)
You then deploy OpenDNSSEC, and configure its
zone_fetcher to AXFR
transfer zones from your PowerDNS master server.
You’ll have to ensure that DNS notifications sent from PowerDNS are received
zone_fetcher. If need be, have the latter listen on one of
your loopback interfaces (e.g.
127.0.0.2). I had to remove some of
zone_fetcher’s checks for this to work. In
- Search for “drop bad notify” and comment out that block of code.
- Search for “refused message from” and comment out that block of code as well.
These two changes decrease security, but since
zone_fetcher is on a loopback
address, that shouldn’t be a great issue.
In order to test zone notifications from PowerDNS to OpenDNSSEC, you can also use the following command:
Works like a charm.