[Pdns-users] bind backend and dnssec database

Philip Vanmontfort philip at smartbit.be
Tue Jul 9 14:43:29 UTC 2019

goodday powerdns-users,

my company is planning the migration of our authoritative name servers  to powerdns 4.1.x  with a bind backend (managed with puppet).  this part is working as intended.

Now i'm investigating the possibilities to enable dnssec.  I enabled this on a test server as per documentation:


# pdnsutil create-bind-db /etc/powerdns/bind-dnssec-db.sqlite3
# pdnsutil secure-zone <zone1>

and queries are signed.  So far so good.

The question is:

can I put the bind-dnssec-db.sqlite3 inside puppet after I secured the zone.  (can it be readonly from powerdns's viewpoint)
or does powerdns need read-write acces to the bind-dnssec-db.sqlite3? (maybe for key roll over?)

and if it has to be read-write, do I have to replicate the bind-dnssec-db.sqlite3 to my other auth nameservers or do I keep the bind-dnssec-db.sqlite3 local per server?
the zone configuration is 'native' for al zone's, there is no master/slave setup.

thanks in advance,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190709/77a1891c/attachment.html>

More information about the Pdns-users mailing list