PowerDNS on OpenBSD

Page content

Run PowerDNS on OpenBSD

I’m mostly happy with NSD as Authoritative Nameserver. But why not look over the fence and have a look at PowerDNS ? At least the API looks promising to me …

Install Package

doas pkg_add powerdns--

Create Folder, DB and set Permission

doas mkdir /var/db/pdns
doas sqlite3 /var/db/pdns/pdns.sql < /usr/local/share/doc/pdns/schema.sqlite3.sql
doas chown -R _powerdns:wheel /var/db/pdns/

Update Config File /etc/pdns/pdns.conf

# DB
gsqlite3-database=/var/db/pdns/pdns.sql
launch=gsqlite3
setuid=_powerdns

# Tuning & Protection
max-queue-length=5000
overload-queue-length=2500

# Webserver
webserver=yes
webserver-address=ip-of-your-nameserver
webserver-allow-from=127.0.0.1,::1,my-remote-ip-address

Enable and Start Service

doas rcctl enable pdns_server
doas rcctl restart pdns_server

Import Data from NSD

If you have an existing NSD Setup, you can easily import the zones into the sqlite db.

cd /var/nsd/zones/slave
for i in `ls`; do pdnsutil load-zone $i /var/nsd/zones/slave/$i; done

Check PowerDNS Page

goto http://ip-of-your-nameserver:8081/

Enable API and Restart Service

https://doc.powerdns.com/authoritative/http-api/index.html

Update Config File /etc/pdns/pdns.conf

api=yes
api-key=xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxX

doas rcctl restart pdns_server

Check API

$ curl -s -H 'X-API-Key:xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxX' http://ip-of-my-host:8081/api/v1/servers/localhost |jq . 
{
  "config_url": "/api/v1/servers/localhost/config{/config_setting}",
  "daemon_type": "authoritative",
  "id": "localhost",
  "type": "Server",
  "url": "/api/v1/servers/localhost",
  "version": "4.4.1",
  "zones_url": "/api/v1/servers/localhost/zones{/zone}"
}

Get Zone

$ curl -s -H 'X-API-Key:xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxX' http://ip-of-my-host:8081/api/v1/servers/localhost/zones |jq .[0]
{
  "account": "",
  "dnssec": false,
  "edited_serial": 2021040103,
  "id": "stoege.net.",
  "kind": "Native",
  "last_check": 0,
  "masters": [],
  "name": "stoege.net.",
  "notified_serial": 0,
  "serial": 2021040103,
  "url": "/api/v1/servers/localhost/zones/stoege.net."
}

Python CLI

https://github.com/pbertera/PowerDNS-CLI

./pdns.py --apikey xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxX --apihost ip-of-my-host --apiport 8081 --zone example.com. --zoneType MASTER --nameserver ns.example.com. --debug add_zone
2021-07-31 08:31:06,162 pdns         DEBUG    sending GET request to http://xx.xx.xx.xx.xx:8081/api/v1/servers/localhost/zones/example.com.
2021-07-31 08:31:06,180 pdns         DEBUG    returned 404 Not Found
2021-07-31 08:31:06,181 pdns         DEBUG    sending POST request to http://xx.xx.xx.xx:8081/api/v1/servers/localhost/zones
2021-07-31 08:31:06,181 pdns         DEBUG    POST data: {"name": "example.com.", "kind": "MASTER", "masters": [], "soa_edit_api": "INCEPTION-INCREMENT", "nameservers": ["ns.example.com."]}
2021-07-31 08:31:06,201 pdns         DEBUG    returned 201 {"account": "", "api_rectify": false, "dnssec": false, "edited_serial": 0, "id": "example.com.", "kind": "Master", "last_check": 0, "master_tsig_key_ids": [], "masters": [], "name": "example.com.", "notified_serial": 0, "nsec3narrow": false, "nsec3param": "", "rrsets": [{"comments": [], "name": "example.com.", "records": [{"content": "a.misconfigured.dns.server.invalid. hostmaster.example.com. 0 10800 3600 604800 3600", "disabled": false}], "ttl": 3600, "type": "SOA"}, {"comments": [], "name": "example.com.", "records": [{"content": "ns.example.com.", "disabled": false}], "ttl": 3600, "type": "NS"}], "serial": 0, "slave_tsig_key_ids": [], "soa_edit": "", "soa_edit_api": "INCEPTION-INCREMENT", "url": "/api/v1/servers/localhost/zones/example.com."}
2021-07-31 08:31:06,202 pdns         INFO     DNS Zone 'example.com.' Successfully Added...

Migrate Szenario from NSD to PowerDNS

assuming you have three NSD instances running. ns1 as master, ns2 and ns3 as slave.

NS1 (Master)

disable authentication key (if enabled)

pattern:
  name:                 "toslave"
  notify:               ip-of-ns2 NOKEY
  provide-xfr:          ip-of-ns2 NOKEY
  notify:               ip-of-ns3 NOKEY
  provide-xfr:          ip-of-ns3 NOKEY

NS2 and NS3

update /etc/pdns/pdns.conf, enable slave, allow xfr and notify

allow-axfr-ips=127.0.0.0/8,::1,ip-of-ns1-server/32
allow-notify-from=ip-of-ns1-server/32
axfr-lower-serial=yes
slave=yes

Create Slave Zones

cd /var/nsd/zones/slave
for i in `ls`; do pdnsutil create-slave-zone $i ip-of-your-master-ns-server; done

Restart Service

rcctl restart pdns_server

Change Slave to Master

finally, you can switch a NS to Master if needed

https://doc.powerdns.com/authoritative/migration.html

UPDATE domains set type='MASTER' where type='SLAVE';

rcctl restart pdns_server

sha256: f89e3c03e17b4a3b81506e49bd8fcb82f7372a2e8e5dad69581111b370dbd334