PowerDNS Authoritative Server with DNSSEC

PowerDNS is a free and open source DNS server with great features. The GUI is very handy and easy to manage. It has commands to manipulate the DNS records and zones. It supports all Linux platforms. Let’s see how to install PowerDNS authoritative server with DNSSEC. You need a fresh Linux server.

Recommended configuration

– Centos 7
– 4GB RAM
– 2 CPU Cores

# yum update

# yum groupinstall “Development tools”

# yum install epel-release

Download PowerDNS from the Official site https://repo.powerdns.com/

cd /etc/yum.repos.d/
vim powerdns-auth-41.repo

Add the following to the above files

[powerdns-auth-41] name=PowerDNS repository for PowerDNS Authoritative Server – version 4.1.X
baseurl=http://repo.powerdns.com/centos/$basearch/$releasever/auth-41
gpgkey=https://repo.powerdns.com/FD380FBB-pub.asc
gpgcheck=1
enabled=1
priority=90
includepkg=pdns*

[powerdns-auth-41-debuginfo] name=PowerDNS repository for PowerDNS Authoritative Server – version 4.1.X debug symbols
#baseurl=http://repo.powerdns.com/centos/$basearch/$releasever/auth-41/debug
gpgkey=https://repo.powerdns.com/FD380FBB-pub.asc
gpgcheck=1
enabled=0
priority=90
includepkg=pdns*

Save file

# yum -y install pdns pdns-backend-mysql

# yum -y install mariadb-server mariadb
# systemctl enable mariadb.service
# systemctl start mariadb.service

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): Press ENTER
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password: ← Set New Password
Re-enter new password: ← Repeat Above Password
Password updated successfully!
Reloading privilege tables..
… Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y ← Choose “y” to disable that user
… Success!
Normally, root should only be allowed to connect from ‘localhost’. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n ← Choose “y” for yes
By default, MariaDB comes with a database named ‘test’ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y ← Choose “y” for yes
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y ← Choose “y” for yes
… Success!
Cleaning up…
All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

Now login to the mysql using your mysql root password then create a DB for powerdns-auth

# mysql -u root -p
MariaDB [(none)]> CREATE DATABASE powerdns;
MariaDB [(none)]> GRANT ALL ON powerdns.* TO ‘powerdns’@’localhost’ IDENTIFIED BY ‘powerdns@gafr’;
MariaDB [(none)]> GRANT ALL ON powerdns.* TO ‘powerdns’@’centos7.localdomain’ IDENTIFIED BY ‘powerdns@gafr’;
MariaDB [(none)]> FLUSH PRIVILEGES;

MariaDB [(none)]>  USE powerdns;

FYI : Ceate below tables by executing the query one by one.

CREATE TABLE domains (
id INT AUTO_INCREMENT,
name VARCHAR(255) NOT NULL,
master VARCHAR(128) DEFAULT NULL,
last_check INT DEFAULT NULL,
type VARCHAR(6) NOT NULL,
notified_serial INT UNSIGNED DEFAULT NULL,
account VARCHAR(40) CHARACTER SET ‘utf8’ DEFAULT NULL,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE UNIQUE INDEX name_index ON domains(name);

CREATE TABLE records (
id BIGINT AUTO_INCREMENT,
domain_id INT DEFAULT NULL,
name VARCHAR(255) DEFAULT NULL,
type VARCHAR(10) DEFAULT NULL,
content VARCHAR(64000) DEFAULT NULL,
ttl INT DEFAULT NULL,
prio INT DEFAULT NULL,
change_date INT DEFAULT NULL,
disabled TINYINT(1) DEFAULT 0,
ordername VARCHAR(255) BINARY DEFAULT NULL,
auth TINYINT(1) DEFAULT 1,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX ordername ON records (ordername);

CREATE TABLE supermasters (
ip VARCHAR(64) NOT NULL,
nameserver VARCHAR(255) NOT NULL,
account VARCHAR(40) CHARACTER SET ‘utf8’ NOT NULL,
PRIMARY KEY (ip, nameserver)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE TABLE comments (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(10) NOT NULL,
modified_at INT NOT NULL,
account VARCHAR(40) CHARACTER SET ‘utf8’ DEFAULT NULL,
comment TEXT CHARACTER SET ‘utf8’ NOT NULL,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);

CREATE TABLE domainmetadata (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
kind VARCHAR(32),
content TEXT,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);

CREATE TABLE cryptokeys (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
flags INT NOT NULL,
active BOOL,
content TEXT,
PRIMARY KEY(id)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE INDEX domainidindex ON cryptokeys(domain_id);

CREATE TABLE tsigkeys (
id INT AUTO_INCREMENT,
name VARCHAR(255),
algorithm VARCHAR(50),
secret VARCHAR(255),
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET ‘latin1’;

CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);

PowerDNS database is ready now.

cd /etc/pdns/
mv pdns.conf pdns.conf-original

Create new file pdns.conf

api-logfile=/var/log/pdns.log
config-dir=/etc/pdns
daemon=yes
default-soa-name=ns1.yourdomain.com
disable-axfr=yes
guardian=yes
launch=
local-address=0.0.0.0
local-port=53
logging-facility=0
master=yes
module-dir=/usr/lib64/pdns
setgid=pdns
setuid=pdns
socket-dir=/var/run
version-string=powerdns
launch=gmysql
gmysql-dnssec
gmysql-host=localhost
gmysql-user=powerdns
gmysql-password=powerdns@gafr
gmysql-dbname=powerdns

Save the file.

Now start pdns service

# service pdns start

You can manage the DNS records and zone via command line using the command pdnsutil. As CLI utility is difficult to use, let’s install PDNS Manager for GUI.

# cd /var/www/html
# wget https://pdnsmanager.lmitsystems.de/files/pdns-manager-1.2.1.tar.gz
# tar -xvf pdns-manager-1.2.1.tar.gz
# cd /var/www
# chown apache.apache html -R

Go to http://your_server_ip/install. It will ask for DB information and new powerdns user & password to manage the GUI. Enter your powerdns DB login information. Once done, you can log in to Powerdns dashboard.

Outsource your helpdesk support to save time and money. We have technicians available for little over 5 USD per hour in order to assist your customers with their technical questions. Grow your business and concentrate more on your SALES!

Xieles Support is a provider of reliable and affordable internet services, consisting of Outsourced 24×7 Technical Support, Remote Server Administration, Server Security, Linux Server Management, Windows Server Management and Helpdesk Management to Web Hosting companies, Data centers and ISPs around the world. We are experts in Linux and Windows Server Administration, Advanced Server Security, Server Security Hardening. Our primary focus is on absolute client satisfaction through sustainable pricing, proactively managed services, investment in hosting infrastructure and renowned customer support.

DNSSEC is a technology developed to protect against malicious activities like cache poisoning and MITM attacks. It is a public & private key validation check. We have private key and we need to update the DNSKEY/Public key at the registrar level. All key’s are encrypted & using algorithms like ECDSAP256SHA256, RSA/SHA256

On our Authoritative Server generates all key’s using the ECDSAP256SHA256 with algorithm 13.

FYI: Some registrars may not support the algorithm 13.

We can simply enable the records for your domains. Once you have created a zone for your domain, then point the A record to the corresponding server.

To enable dnssec

pdnsutil secure-zone yourdomain.com

To view the records

pdnsutil show-zone yourdomain.com

[root@powerdns tmp]# pdnsutil show-zone yourdomain.com
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 7 (CSK), flags = 257, tag = 55592, algo = 13, bits = 256 Active ( ECDSAP256SHA256 )
CSK DNSKEY = yourdomain.com. IN DNSKEY 257 3 13 6dwJMp0I/W8FuiXkuFYs/AJbMKuGDzKzOzETTQFITX2LU80QoTFP7uQbDeJ7Lqj6MvspldMptDfq1++2YBUvVA== ; ( ECDSAP256SHA256 )
DS = yourdomain.com. IN DS 55592 13 1 606b54b38d24ca52eb2d807267b6a1f5bad1b841 ; ( SHA1 digest )
DS = yourdomain.com. IN DS 55592 13 2 33fc0e406ce47e5faac6db0fe72687525d3c6dda2b742e70245ac101fbc91a22 ; ( SHA256 digest )
DS = yourdomain.com. IN DS 55592 13 4 2efb5c0c8742322290a295bef2af03eeb2fd4643d2e3333d7d65c9b1225c12a31aee7b12da6bcdcc1a4a5953a61028b1 ; ( SHA-384 digest )

Here you can see that, you have DS records, key tag algo and DNSKEY

DS = 606b54b38d24ca52eb2d807267b6a1f5bad1b841
DS = 33fc0e406ce47e5faac6db0fe72687525d3c6dda2b742e70245ac101fbc91a22
DS = 2efb5c0c8742322290a295bef2af03eeb2fd4643d2e3333d7d65c9b1225c12a31aee7b12da6bcdcc1a4a5953a61028b1

DNSKEY = 6dwJMp0I/W8FuiXkuFYs/AjbMKuGDzKzOzETTQFITX2LU80QoTFP7uQbDeJ7Lqj6MvspldMptDfq1++2YBUvVA==

Key tag = 55592

Algo = 13

Encryption = ECDSAP256SHA256

How to apply dnssec records at registrar end

We need to add the DNSKEY or Public key at domain registrar end as KSK records. Select the encryption type ECDSAP256SHA256.

Some registrar asks more information about key tag, algorithm etc.

To check DNSSEC by using online tool

https://dnssec-debugger.verisignlabs.com/

Xieles Support can help you with the Powerdns setup with DNSSEC or any other server related issues. Get a quote from us if you need any assistance.

Outsource your helpdesk support to save time and money. We have technicians available for little over 5 USD per hour in order to assist your customers with their technical questions. Grow your business and concentrate more on your SALES!

Xieles Support is a provider of reliable and affordable internet services, consisting of Outsourced 24×7 Technical Support, Remote Server Administration, Server Security, Linux Server Management, Windows Server Management and Helpdesk Management to Web Hosting companies, Data centers and ISPs around the world. We are experts in Linux and Windows Server Administration, Advanced Server Security, Server Security Hardening. Our primary focus is on absolute client satisfaction through sustainable pricing, proactively managed services, investment in hosting infrastructure and renowned customer support.