PowerDNS Authoritative Server Documentation PowerDNS.COM BV Sep 24, 2021 CONTENTS 1 PowerDNS Authoritative Nameserver1 1.1 Getting Started............................................1 1.2 Getting Support...........................................1 1.2.1 My information is confidential, must I send it to the mailing list, discuss it on IRC, or post it in a GitHub ticket?..................................1 1.2.2 I have a question!......................................2 1.2.3 What details should I supply?................................2 1.2.4 I found a bug!........................................2 1.2.5 I found a security issue!...................................2 1.2.6 I have a good idea for a feature!..............................2 2 Installing PowerDNS 3 2.1 Binary Packages...........................................3 2.1.1 Debian-based Systems...................................3 2.1.2 Redhat-based Systems...................................3 2.1.3 FreeBSD..........................................3 2.1.4 Mac OS X..........................................4 2.2 After installation...........................................4 3 Upgrade Notes 5 3.1 4.4.x to 4.5.0 or master........................................5 3.1.1 Record type changes....................................5 3.1.2 Changed options......................................5 3.2 4.3.x to 4.4.0.............................................6 3.2.1 Latency calculation changes................................6 3.2.2 MySQL character set detection...............................6 3.2.3 Record type changes....................................7 3.2.4 PostgreSQL configuration escaping............................7 3.2.5 New LMDB schema....................................7 3.2.6 Removed features......................................7 3.3 4.3.1 to 4.3.2.............................................7 3.3.1 Latency calculation changes................................7 3.4 4.3.0 to 4.3.1.............................................8 3.5 4.2.x to 4.3.0.............................................8 3.5.1 NSEC(3) TTL changed...................................8 3.5.2 Lua Netmask class methods changed............................8 3.5.3 socket-dir changed...................................8 3.5.4 Systemd service and permissions..............................9 3.5.5 New settings........................................9 3.5.6 Deprecated settings.....................................9 3.5.7 Changed defaults......................................9 3.5.8 Schema changes.......................................9 3.5.9 Implicit 5->7 algorithm upgrades..............................9 3.5.10 IXFR-in corruption..................................... 10 i 3.6 4.2.X to 4.2.3............................................. 10 3.7 4.X.X to 4.2.2............................................ 10 3.7.1 IXFR-in corruption..................................... 10 3.8 4.1.X to 4.2.0............................................. 10 3.9 4.1.X to 4.1.14............................................ 10 3.10 4.1.0 to 4.1.1............................................. 11 3.11 4.0.X to 4.1.0............................................. 11 3.11.1 Changed options...................................... 11 3.11.2 Other changes........................................ 11 3.12 4.0.X to 4.0.2............................................. 12 3.12.1 Changed options...................................... 12 3.13 3.4.X to 4.0.0............................................. 12 3.13.1 Database changes...................................... 12 3.13.2 Changed options...................................... 12 3.13.3 API............................................. 13 3.13.4 Resource Record Changes................................. 13 4 DNS Modes of Operation 15 4.1 Native replication.......................................... 15 4.2 Primary operation.......................................... 15 4.3 Secondary operation......................................... 16 4.4 Master/Slave Setup Requirements.................................. 17 4.5 IXFR: incremental zone transfers.................................. 17 4.6 Autoprimary: automatic provisioning of secondaries........................ 17 4.7 Modifying a slave zone using a script................................ 18 5 Migrating to PowerDNS 21 5.1 Using AXFR to a Slave-Capable Backend.............................. 21 5.1.1 To A Generic SQL Backend................................ 21 5.1.2 To the BIND backend.................................... 21 5.2 From zonefiles to PowerDNS.................................... 22 5.2.1 Using the BIND backend.................................. 22 5.2.2 To a Generic SQL backend................................. 22 5.3 Migrating Data from one Backend to Another Backend....................... 23 5.3.1 Prerequisites........................................ 23 5.3.2 Moving from source to target................................ 23 6 Running and Operating 25 6.1 Guardian............................................... 25 6.2 Logging to syslog on systemd-based operating systems....................... 25 6.3 Logging to syslog.......................................... 25 6.4 Controlling A Running PowerDNS Server............................. 26 6.4.1 Control Socket....................................... 26 6.4.2 pdns_control ...................................... 26 6.4.3 Backend manipulation................................... 26 6.4.4 pdnsutil ......................................... 26 6.5 The SysV init script......................................... 26 6.6 Running in the foreground...................................... 27 7 Security of PowerDNS 29 7.1 PowerDNS Security Policy..................................... 29 7.1.1 HackerOne......................................... 29 7.1.2 Disclosure Policy...................................... 29 7.2 Securing the Process......................................... 30 7.2.1 Running as a less privileged identity............................ 30 7.2.2 Jailing the process in a chroot............................... 30 7.3 Security Considerations....................................... 30 7.4 Security Polling........................................... 30 7.4.1 Details............................................ 31 ii 8 Performance and Tuning 33 8.1 Performance related settings..................................... 33 8.2 Packet Cache............................................. 34 8.3 Query Cache............................................. 34 8.4 Caches & Memory Allocations & glibc............................... 34 8.5 Performance Monitoring....................................... 34 8.5.1 Counters........................................... 34 8.5.2 open-tcp-connections.................................... 36 8.5.3 Ring buffers......................................... 39 8.5.4 Sending metrics to Graphite/Metronome over Carbon................... 40 9 DNSSEC 41 9.1 A brief introduction to DNSSEC................................... 41 9.2 DNSSEC Profile and Support.................................... 42 9.2.1 Supported Algorithms................................... 42 9.3 DNSSEC Modes of Operation.................................... 43 9.3.1 Online Signing....................................... 43 9.3.2 Pre-signed records..................................... 45 9.3.3 Front-signing........................................ 45 9.3.4 Signed AXFR........................................ 45 9.3.5 BIND-mode operation................................... 45 9.3.6 Hybrid BIND-mode operation............................... 45 9.4 pdnsutil and DNSSEC...................................... 46 9.4.1 DNSSEC Defaults..................................... 46 9.5 Migrating (Signed) Zones to PowerDNS.............................. 46 9.5.1 From an existing PowerDNS installation.......................... 46 9.5.2 From existing non-DNSSEC, non-PowerDNS setups................... 47 9.5.3 From existing DNSSEC non-PowerDNS setups, pre-signed................ 47 9.5.4 From existing DNSSEC non-PowerDNS setups, live signing............... 47 9.5.5 Secure transfers....................................... 47 9.6 Operational instructions....................................... 48 9.6.1 Publishing a DS....................................... 48 9.6.2 Going insecure....................................... 48 9.6.3 Setting the NSEC modes and parameters.......................... 48 9.6.4 SOA-EDIT: ensure signature freshness on slaves..................... 49 9.6.5 Security........................................... 50 9.6.6 Performance......................................... 50 9.6.7 Some notes on TTL usage................................. 50 9.7 DNSSEC advice & precautions................................... 51 9.7.1 Packet sizes, fragments, TCP/IP service.......................... 51 9.8 PKCS#11 support.......................................... 51 9.8.1 Using PKCS#11 with SoftHSM.............................. 51 9.8.2 SoftHSM2 with forwarding................................. 52 9.8.3 Using CryptAS....................................... 53 9.9 Thanks to, acknowledgements.................................... 54 10 Per zone settings: Domain Metadata 57 10.1 ALLOW-AXFR-FROM....................................... 57 10.2 API-RECTIFY............................................ 58 10.3 AXFR-SOURCE........................................... 58 10.4 ALLOW-DNSUPDATE-FROM, TSIG-ALLOW-DNSUPDATE, FORWARD-DNSUPDATE, SOA-EDIT-DNSUPDATE, NOTIFY-DNSUPDATE........................ 58 10.5 ALSO-NOTIFY..........................................