[Pdns-users] Trying to find a simple "how to" - pdnsutil secure-zone version
Otto Moerbeek
otto at drijf.net
Tue Apr 9 13:17:10 UTC 2019
On Tue, Apr 09, 2019 at 12:59:22PM +0000, Edward Lewis wrote:
> My background - involved with DNS and DNSSEC over 20 years. Have a lot of experience with ISC's BIND tools and some experience with NLnet Lab's tools. Now I've been asked to conduct a training session with an organization that uses PowerDNS. As much as I know of PowerDNS (people, concept), I've never tried to download and run the code before.
>
> My problem - I haven't been able to find a clear "how to" for setting up PowerDNS managed/automatic DNSSEC. I have found a lot of resources - some old (2012) and others somewhat incomplete, but nothing giving me a simple step by step "recipe" for DNSSEC signing.
>
> What I have done - gotten a simple BIND backend up and running. Simple, static example.com stuff.
>
> Cutting to the chase, I stumbled across this:
> https://computingforgeeks.com/how-to-install-mariadb-10-3-on-ubuntu-16-04-lts-xenial/
>
> And I have MariaDB running on my test machine. (Ubuntu 16.4 and MariaDB 10.3.)
>
> Then I read this:
> https://doc.powerdns.com/authoritative/migration.html
Before loading zones, you need to make sure pdns.conf is set up to use
the database, as desrcibed in
https://docs.powerdns.com/authoritative/guides/basic-database.html
Did you do that step? Including the validation by starting pdns in
the foreground?
>
> I tried this command:
> zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
>
> adjusting the "/path/to" first. The pre--pipe command spit out what I'd expect. The latter command complained about the -u (fixed that) and then the -p, but I don't know how to fix that.
Please show the commands issued and the error messages exactly. That
helps us find the actual problem.
Before we continue, please make sure the pdns -> mysql connection is
set up correctly.
-Otto
>
> I then tried:
> pdnsutil load-zone example.com /tmp/example.com.zone
>
> adjusting the "/tmp" to my situation. The command had no response - I can't figure out what was supposed to happen (given the documentation), so I don't know what, if anything, was broken.
>
> Why am I down this path?
>
> My goal is to be able to use this command:
> $ pdnsutil secure-zone powerdnssec.org
> as found on https://doc.powerdns.com/authoritative/dnssec/index.html.
>
> But I can't figure out how to launch a backend that can be signed.
>
> What launched my journey into MariaDB was this. With the simple BIND backend:
>
> # pdnsutil secure-zone example.com
>
> Securing zone with default key size
> Adding CSK with algorithm ecdsa256
> No backend was able to secure 'example.com.', most likely because no DNSSEC
> capable backends are loaded, or because the backends have DNSSEC disabled.
> For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or
> 'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!
>
> I bet there's something simple needed to load a schema into my MariaDB instance, etc., and point PowerDNS at it, somehow, someway. (I'm no DB expert, so my terms are off here...)
>
> If there's a prepared "how to" (that is current) - just point me to it. If not, please fill me in...;)
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list