PowerDNS is a very versatile DNS name server and it is in widespread use. For a long time the PowerDNS team refused to even consider implementing DNSSEC, although that is changing: after an initial announcement, there is currently a version that purports to support zone signing. Whether or not it works is beyond the scope of this.

If you have PowerDNS deployed and are interested in getting some or all of the zones contained therein signed, carry on reading.

I’m assuming you’ve configured PowerDNS to act as a master, and that you are using PowerDNS’ OpenDBX back-end (and if you aren’t you should ask yourself why you aren’t; the OpenDBX back-end is the most flexible and resilient of the PowerDNS database back-ends). Ideally, you have OpenDBX set up to use automatic serial numbering, which makes life very easy. (This does require MySQL triggers, so version 5.x is needed.)

You then deploy OpenDNSSEC, and configure its zone_fetcher to AXFR transfer zones from your PowerDNS master server.

You’ll have to ensure that DNS notifications sent from PowerDNS are received by OpenDNSSEC’s zone_fetcher. If need be, have the latter listen on one of your loopback interfaces (e.g. I had to remove some of zone_fetcher’s checks for this to work. In opendnssec/signer/tools/zone_fetcher.c:

  • Search for “drop bad notify” and comment out that block of code.
  • Search for “refused message from” and comment out that block of code as well.

These two changes decrease security, but since zone_fetcher is on a loopback address, that shouldn’t be a great issue.

In order to test zone notifications from PowerDNS to OpenDNSSEC, you can also use the following command:

    pdns_control notify-host example.com

Works like a charm.

DNS, powerdns, dnssec, and opendbx :: 15 Sep 2010 :: e-mail