[Pdns-users] DNSSEC rectify-zone setuid and setgid

Leen Besselink leen at consolejunkie.net
Sun Aug 21 22:52:17 UTC 2011

On 08/05/2011 06:31 AM, kim Doff wrote:
> Hello,

> Could you help me?

Well, I can try and give you some information and pointers.

> 1.
> DNSSEC Master/Slave are working faultlessly.
> I have PowerDNS v3, PowerAdmin 2.1.5 and MySQL Database Replication
> With SSL Encryption. 
> Here is my question.
> When I modify zone domain.com <http://domain.com> through PowerAdmin
> by adding a subdomain like test.domain.com <http://test.domain.com>
> Master/Slave are updated (SOA serial is updated) 
> but Master/Slave do not bind test.domain.com <http://test.domain.com>,
> I have to rectify zone domain.com <http://domain.com> in Master
> to bind test.domain.com <http://test.domain.com> in Master/Slave
> # pdnssec rectify-zone domain.com <http://domain.com>
> Is there a way to do it automatically through PowerDNS?

First you'll have to know where all the documentation is:

Next you should know that if you choose how PowerDNS should do the
live-signing for the domain.

If you choose one that does not need an ordered zone, like for example
NSEC3-narrow, you can just add the right auth=TRUE to the database and
it will 'just work'.

Because that is all that rectify-zone does for un-ordered zones.

(zone-transfers will not be signed by the way with NSEC3-narrow, if I
remember correctly, if you need them you might not what to choose that)

> 2.
> When I enable setuid=pdns and setgid=pdns in pdns.conf,
> Master/Slave are down.

Have you tried running pdns_server with --daemon=no --guardian=no
--config=/your-config ? I think this should not detach from the console.
If you also add something like strace -f -F than you can also see what
is doing.

There most be something that the pdns-user or -group does not have
rights to that it needs.

> Why?
> Thanks,
> Kim

More information about the Pdns-users mailing list