[Pdns-users] Trying to find a simple "how to" - pdnsutil secure-zone version
Edward Lewis
edward.lewis at icann.org
Tue Apr 9 12:59:22 UTC 2019
My background - involved with DNS and DNSSEC over 20 years. Have a lot of experience with ISC's BIND tools and some experience with NLnet Lab's tools. Now I've been asked to conduct a training session with an organization that uses PowerDNS. As much as I know of PowerDNS (people, concept), I've never tried to download and run the code before.
My problem - I haven't been able to find a clear "how to" for setting up PowerDNS managed/automatic DNSSEC. I have found a lot of resources - some old (2012) and others somewhat incomplete, but nothing giving me a simple step by step "recipe" for DNSSEC signing.
What I have done - gotten a simple BIND backend up and running. Simple, static example.com stuff.
Cutting to the chase, I stumbled across this:
https://computingforgeeks.com/how-to-install-mariadb-10-3-on-ubuntu-16-04-lts-xenial/
And I have MariaDB running on my test machine. (Ubuntu 16.4 and MariaDB 10.3.)
Then I read this:
https://doc.powerdns.com/authoritative/migration.html
I tried this command:
zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
adjusting the "/path/to" first. The pre--pipe command spit out what I'd expect. The latter command complained about the -u (fixed that) and then the -p, but I don't know how to fix that.
I then tried:
pdnsutil load-zone example.com /tmp/example.com.zone
adjusting the "/tmp" to my situation. The command had no response - I can't figure out what was supposed to happen (given the documentation), so I don't know what, if anything, was broken.
Why am I down this path?
My goal is to be able to use this command:
$ pdnsutil secure-zone powerdnssec.org
as found on https://doc.powerdns.com/authoritative/dnssec/index.html.
But I can't figure out how to launch a backend that can be signed.
What launched my journey into MariaDB was this. With the simple BIND backend:
# pdnsutil secure-zone example.com
Securing zone with default key size
Adding CSK with algorithm ecdsa256
No backend was able to secure 'example.com.', most likely because no DNSSEC
capable backends are loaded, or because the backends have DNSSEC disabled.
For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or
'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!
I bet there's something simple needed to load a schema into my MariaDB instance, etc., and point PowerDNS at it, somehow, someway. (I'm no DB expert, so my terms are off here...)
If there's a prepared "how to" (that is current) - just point me to it. If not, please fill me in...;)
More information about the Pdns-users
mailing list