Setting up TSIG with PowerDNS while using the BIND backend

by Christian Franke <nobody-at-nowhere-dot-ws>

I have been using PowerDNS for one of my authoritative nameservers for quite some time now. For my requirements, it works very well and with a workflow I am quite happy with. (Be aware that I neither have big zones nor many zones, so your mileage and best setup may vary)
That PowerDNS installation serves some zones as master and others as slave.

At one point, I had to setup a slave zone which does synchronization using TSIG authentication towards the master. As I noticed that there were some major changes (improvements) in PowerDNS 3.1 for using the bind backend with DNSSEC, I decided to do an upgrade of PowerDNS first. Therefore, the following only applies to PowerDNS starting from version 3.1.

Setting up Bind backend for DNSSEC

This is a bit tricky as it is quite a new feature and not that obviously documented. First step is to configure a bind-dnssec-db, which is an sqlite3 database. To do so, add a line like the following to your pdns.conf:


After that, you have to create and initialize that db, which can be done using the following command:

# pdnssec create-bind-db /etc/powerdns/data/bind-dnssec-db.sqlite3

Now you can reload the server and it will use that database to look up DNSSEC related information.

Configuring a slave zone with TSIG AXFR

Assuming you want to serve as a slave, doing a zone transfer with TSIG, you have to set this up in the database:

$ sqlite3 /etc/powerdns/data/bind-dnssec-db.sqlite3
sqlite>INSERT INTO tsigkeys (name, algorithm, secret) VALUES (
            '', 'hmac-md5', '345097234876mvh34508ybjbn435....'
       ); % This creates the key
sqlite>INSERT INTO domainmetadata (domain, kind, content) VALUES (
            '', 'AXFR-MASTER-TSIG', 'axfr-example-com'
       ); % Tell PowerDNS to use that key for communication with the master

The last step was actually the most tricky one. I was following these documents [1], [2] which describe the overall procedure quite well. Note however that the database schema differs for the bind backend: while the documentation in [2] enters an id into the domainmetadata table, we have to use the name. Other than that, it is pretty straightforward, just set up as you would any other slave zone now, and you are done.

Configuring a master zone with TSIG AXFR

If you want to serve zonetransfers using TSIG, have a look here. Now that you know how to use the domainmetadata table with the bind backend, that document should be easy to follow.