[Pdns-users] Trying to find a simple "how to" - pdnsutil secure-zone version

Otto Moerbeek otto at drijf.net
Tue Apr 9 13:17:10 UTC 2019

On Tue, Apr 09, 2019 at 12:59:22PM +0000, Edward Lewis wrote:

> My background - involved with DNS and DNSSEC over 20 years.  Have a lot of experience with ISC's BIND tools and some experience with NLnet Lab's tools.  Now I've been asked to conduct a training session with an organization that uses PowerDNS.  As much as I know of PowerDNS (people, concept), I've never tried to download and run the code before.
> My problem - I haven't been able to find a clear "how to" for setting up PowerDNS managed/automatic DNSSEC.  I have found a lot of resources - some old (2012) and others somewhat incomplete, but nothing giving me a simple step by step "recipe" for DNSSEC signing.
> What I have done - gotten a simple BIND backend up and running.  Simple, static example.com stuff.
> Cutting to the chase, I stumbled across this:
> https://computingforgeeks.com/how-to-install-mariadb-10-3-on-ubuntu-16-04-lts-xenial/
> And I have MariaDB running on my test machine.  (Ubuntu 16.4 and MariaDB 10.3.)
> Then I read this:
> https://doc.powerdns.com/authoritative/migration.html

Before loading zones, you need to make sure pdns.conf is set up to use
the database, as desrcibed in


Did you do that step? Including the validation by starting pdns in
the foreground?

> I tried this command:
> zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
> adjusting the "/path/to" first.  The pre--pipe command spit out what I'd expect.  The latter command complained about the -u (fixed that) and then the -p, but I don't know how to fix that.

Please show the commands issued and the error messages exactly. That
helps us find the actual problem.

Before we continue, please make sure the pdns -> mysql connection is
set up correctly.


> I then tried:
> pdnsutil load-zone example.com /tmp/example.com.zone
> adjusting the "/tmp" to my situation.  The command had no response - I can't figure out what was supposed to happen (given the documentation), so I don't know what, if anything, was broken.
> Why am I down this path?
> My goal is to be able to use this command:
> $ pdnsutil secure-zone powerdnssec.org
> as found on https://doc.powerdns.com/authoritative/dnssec/index.html.
> But I can't figure out how to launch a backend that can be signed.
> What launched my journey into MariaDB was this.  With the simple BIND backend:
> # pdnsutil secure-zone example.com
> Securing zone with default key size
> Adding CSK with algorithm ecdsa256
> No backend was able to secure 'example.com.', most likely because no DNSSEC
> capable backends are loaded, or because the backends have DNSSEC disabled.
> For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or
> 'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!
> I bet there's something simple needed to load a schema into my MariaDB instance, etc., and point PowerDNS at it, somehow, someway.  (I'm no DB expert, so my terms are off here...)
> If there's a prepared "how to" (that is current) - just point me to it.  If not, please fill me in...;)
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list