Hero Image

Hidden Master

Configuring the hidden (signing) master

This is a continuation of my initial article on setting up authoritive nameservers and assumes you have set up the database-backend already.

Edit the initial /etc/powerdns/pdns.d/pdns.local.conf we created, and expand (and adjust where needed) it with:



By default, PowerDNS will send a NOTIFY to all IPv4+IPv6-addresses of all NS-records of a domain once the serial in the SOA-record is increased. However, if you have a fixed set of slaves, you should just specify those instead. This can help reduce the amount of NOTIFYs having to be sent out (if you're doing IPv4+IPv6 on the same slave anyway), and also helps if your NS-records are pointing to anycasted addresses (like for me). That way you can direct the NOTIFYs to the management-IPs of the slaves so they actually end up in the right places:


Also don't forget to allow your nodes to initiate AXFR/IXFRs:


Restart PowerDNS

To activate the changes:

systemctl restart pdns

If it fails, you probably didn't adjust the correct settings in the configuration above.

Further configuration

I will discuss setting up a zone and DNSSEC later, but for now, you can move on to setting up the slaves.