Configuring the hidden (signing) master
This is a continuation of my initial article on setting up authoritive nameservers and assumes you have set up the database-backend already.
Edit the initial
/etc/powerdns/pdns.d/pdns.local.conf we created, and expand (and adjust where needed) it with:
master=yes slave=no default-soa-name=ns.example.com email@example.com default-ttl=300
By default, PowerDNS will send a
NOTIFY to all IPv4+IPv6-addresses of all NS-records of a domain once the serial in the SOA-record is increased.
However, if you have a fixed set of slaves, you should just specify those instead. This can help reduce the amount of
NOTIFYs having to be sent out (if you're doing IPv4+IPv6 on the same slave anyway), and also helps if your NS-records are pointing to anycasted addresses (like for me). That way you can direct the
NOTIFYs to the management-IPs of the slaves so they actually end up in the right places:
Also don't forget to allow your nodes to initiate
To activate the changes:
systemctl restart pdns
If it fails, you probably didn't adjust the correct settings in the configuration above.
I will discuss setting up a zone and DNSSEC later, but for now, you can move on to setting up the slaves.