PDNS4 Backend

PDNS4 Configuration

The version PowerDNS in Ubuntu Xenial is pdns4. This has a different DB schema, and is incompatible with the legacy PowerDNS driver. In PDNS 4 the API was marked stable, and this is what we will use.

You will need to configure PowerDNS, and its database before performing these steps.

You will need to use a database backend for PowerDNS’s API to function.

See PowerDNS Docs for details.

  1. Enable the API in the pdns.conf file.

webserver=yes
api=yes
api-key=changeme

  1. Configure the PowerDNS Backend using this sample target snippet

  targets:
    - type: pdns4
      description: PowerDNS4 DNS Server

      # List out the designate-mdns servers from which PowerDNS servers should
      # request zone transfers (AXFRs) from.
      masters:
        - host: 192.0.2.1
          port: 5354

      # PowerDNS Configuration options
      options:
        host: 192.0.2.1
        port: 53
        api_endpoint: http://127.0.0.1:8081
        api_token: changeme
        api_ca_cert: /etc/ssl/certs/ca-certificates.crt
        # If a tsigkey is needed, uncomment the line below and insert the name
        # tsigkey_name: <keyname>

  1. Then update the pools in designate

$ designate-manage pool update

See designate-manage pool for further details on the designate-manage pool command, and DNS Server Pools for information about the yaml file syntax

TSIG Key Configuration

Note

This is only available in PowerDNS 4.2 or newer

In some cases a deployer may need to use tsig keys to sign AXFR (zone transfer) requests. As pdns does not support a per host key setup, this needs to be set on a per zone basis, on creation.

To do this, generate a tsigkey on the PowerDNS Server:

$ pdnsutil generate-tsig-key <keyname> hmac-sha512
Create new TSIG key keyname hmac-sha512 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==

Then insert it into Designate. Make sure the pool id is correct (the --resource-id below.)

openstack tsigkey create --name <keyname> --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842

Then add it to the pools.yaml file as shown in the example. The ID used is the name of the key in the PowerDNS server.