[Pdns-users] DNSSEC with MySQL backend and replication

frank+pdns at tembo.be frank+pdns at tembo.be
Thu May 16 10:11:33 UTC 2019

Hi Alun,

> We currently edit records by way of PowerAdmin, which updates the master database directly and so “PowerDNS Auth A” instance is not actually used or interacted with, normally. Zone/record updates are replicated to the “edge” Auth servers (B and C) via MySQL replication. We would like to enable DNSSec on a few of our domains, at least as a proof of concept. A few questions…
> I assume I need to enable gmysql-dnssec on ALL PowerDNS Auth instances (A,B and C)?
> Will PowerDNS commands to enable DNSSec signing of a zone need executed on “PowerDNS Auth A” ONLY (which will add the relevant records to the database and replicate them to B and C)?
> Given that PowerAdmin talks directly to the database, any record changes here likely to cause a problem with these signed domains?
> Should I look at a newer GUI that implements the DNSSec commands and interacts with PowerDNS API instead?

This is a setup we’ve built a few times for customers of ours, with these exact same components (we usually do add dnsdist for easier DDoS and abuse mitigation).

Unless you have a large number of queries against your nameservers, I would recommend to do “online signing” in PowerDNS, as described in https://docs.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://docs.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing>. In that mode, only the keys is stored in the database, and thus you’d need to enable this feature on each of your PowerDNS auth servers.

Once you configure all instances to handle DNSSEC, there’s nothing extra to configure: the key info is stored in the database, the flags that enable dnssec are stored in the database, so as long as your replication works, you’re good!

While you could continue to work directly in the database, we do recommend people to use the API. When enabling DNSSEC, it’s very import to “rectify” the database structure after all changes. Using the API, this becomes much easier than fiddling with the DB directly. PowerAdmin can be configured to talk directly to the API.

As a precaution, I would enable the API only on the min PowerDNS server, and would grant the PowerDNS “slaves” read-only access to their own databases, to prevent accidental changes in these nodes.

Hope this helps!

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo

> Thanks in advance…
> Regards,
> Alun.
> <image001.png> <http://www.tibus.com/?utm_source=signature&utm_medium=email><image002.png>Alun James
> Senior Systems Engineer
> T: +44 (0) 28 9033 1122
> E: ajames at tibus.com <mailto:ajames at tibus.com>
> W: www.tibus.com <http://www.tibus.com/?utm_source=signature&utm_medium=email>
> <image003.png> <https://www.facebook.com/tibusDigital>  <image004.png> <https://twitter.com/tibus>  <image005.png> <https://www.linkedin.com/company/tibus>
> Tibus is a wholly-owned division of Wireless.
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190516/288bb5b4/attachment.html>

More information about the Pdns-users mailing list