[Pdns-users] Trying to find a simple "how to" - pdnsutil secure-zone version

Otto Moerbeek otto at drijf.net
Tue Apr 9 13:17:10 UTC 2019


On Tue, Apr 09, 2019 at 12:59:22PM +0000, Edward Lewis wrote:

> My background - involved with DNS and DNSSEC over 20 years.  Have a lot of experience with ISC's BIND tools and some experience with NLnet Lab's tools.  Now I've been asked to conduct a training session with an organization that uses PowerDNS.  As much as I know of PowerDNS (people, concept), I've never tried to download and run the code before.
> 
> My problem - I haven't been able to find a clear "how to" for setting up PowerDNS managed/automatic DNSSEC.  I have found a lot of resources - some old (2012) and others somewhat incomplete, but nothing giving me a simple step by step "recipe" for DNSSEC signing.
> 
> What I have done - gotten a simple BIND backend up and running.  Simple, static example.com stuff.
> 
> Cutting to the chase, I stumbled across this:
> https://computingforgeeks.com/how-to-install-mariadb-10-3-on-ubuntu-16-04-lts-xenial/
> 
> And I have MariaDB running on my test machine.  (Ubuntu 16.4 and MariaDB 10.3.)
> 
> Then I read this:
> https://doc.powerdns.com/authoritative/migration.html

Before loading zones, you need to make sure pdns.conf is set up to use
the database, as desrcibed in

https://docs.powerdns.com/authoritative/guides/basic-database.html 

Did you do that step? Including the validation by starting pdns in
the foreground?

> 
> I tried this command:
> zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
> 
> adjusting the "/path/to" first.  The pre--pipe command spit out what I'd expect.  The latter command complained about the -u (fixed that) and then the -p, but I don't know how to fix that.

Please show the commands issued and the error messages exactly. That
helps us find the actual problem.

Before we continue, please make sure the pdns -> mysql connection is
set up correctly.

	-Otto


> 
> I then tried:
> pdnsutil load-zone example.com /tmp/example.com.zone
> 
> adjusting the "/tmp" to my situation.  The command had no response - I can't figure out what was supposed to happen (given the documentation), so I don't know what, if anything, was broken.
> 
> Why am I down this path?
> 
> My goal is to be able to use this command:
> $ pdnsutil secure-zone powerdnssec.org
> as found on https://doc.powerdns.com/authoritative/dnssec/index.html.
> 
> But I can't figure out how to launch a backend that can be signed.
> 
> What launched my journey into MariaDB was this.  With the simple BIND backend:
> 
> # pdnsutil secure-zone example.com
> 
> Securing zone with default key size
> Adding CSK with algorithm ecdsa256
> No backend was able to secure 'example.com.', most likely because no DNSSEC
> capable backends are loaded, or because the backends have DNSSEC disabled.
> For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or
> 'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!
> 
> I bet there's something simple needed to load a schema into my MariaDB instance, etc., and point PowerDNS at it, somehow, someway.  (I'm no DB expert, so my terms are off here...)
> 
> If there's a prepared "how to" (that is current) - just point me to it.  If not, please fill me in...;)
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list