Setting up TSIG with PowerDNS while using the BIND backend
by Christian Franke <nobody-at-nowhere-dot-ws>
I have been using PowerDNS for one of my authoritative nameservers for quite some time now. For my requirements,
it works very well and with a workflow I am quite happy with. (Be aware that I neither have big zones nor many zones, so your mileage and best
setup may vary)
That PowerDNS installation serves some zones as master and others as slave.
At one point, I had to setup a slave zone which does synchronization using TSIG authentication towards the master. As I noticed that there were some major changes (improvements) in PowerDNS 3.1 for using the bind backend with DNSSEC, I decided to do an upgrade of PowerDNS first. Therefore, the following only applies to PowerDNS starting from version 3.1.
Setting up Bind backend for DNSSEC
This is a bit tricky as it is quite a new feature and not that obviously documented. First step is to configure a bind-dnssec-db, which is an sqlite3 database. To do so, add a line like the following to your pdns.conf:
bind-dnssec-db=/etc/powerdns/data/bind-dnssec-db.sqlite3
After that, you have to create and initialize that db, which can be done using the following command:
# pdnssec create-bind-db /etc/powerdns/data/bind-dnssec-db.sqlite3
Now you can reload the server and it will use that database to look up DNSSEC related information.
Configuring a slave zone with TSIG AXFR
Assuming you want to serve example.com as a slave, doing a zone transfer with TSIG, you have to set this up in the database:
$ sqlite3 /etc/powerdns/data/bind-dnssec-db.sqlite3 sqlite>INSERT INTO tsigkeys (name, algorithm, secret) VALUES ( 'axfr-example.com', 'hmac-md5', '345097234876mvh34508ybjbn435....' ); % This creates the key sqlite>INSERT INTO domainmetadata (domain, kind, content) VALUES ( 'example.com', 'AXFR-MASTER-TSIG', 'axfr-example-com' ); % Tell PowerDNS to use that key for communication with the master
The last step was actually the most tricky one. I was following these documents [1], [2] which describe the overall procedure quite well. Note however that the database schema differs for the bind backend: while the documentation in [2] enters an id into the domainmetadata table, we have to use the name. Other than that, it is pretty straightforward, just set up example.com as you would any other slave zone now, and you are done.
Configuring a master zone with TSIG AXFR
If you want to serve zonetransfers using TSIG, have a look here. Now that you know how to use the domainmetadata table with the bind backend, that document should be easy to follow.