Configuring the hidden (signing) master

This is a continuation of my initial article on setting up authoritive nameservers and assumes you have set up the database-backend already.

Edit the initial /etc/powerdns/pdns.d/pdns.local.conf we created, and expand (and adjust where needed) it with:

master=yes
slave=no

default-soa-name=ns.example.com
default-soa-mail=hostmaster@example.com
default-ttl=300

By default, PowerDNS will send a NOTIFY to all IPv4+IPv6-addresses of all NS-records of a domain once the serial in the SOA-record is increased. However, if you have a fixed set of slaves, you should just specify those instead. This can help reduce the amount of NOTIFYs having to be sent out (if you're doing IPv4+IPv6 on the same slave anyway), and also helps if your NS-records are pointing to anycasted addresses (like for me). That way you can direct the NOTIFYs to the management-IPs of the slaves so they actually end up in the right places:

only-notify=2001:db8:coff::ee
also-notify=192.10.2.42,203.0.113.99,2001:db8:dead::ff,198.51.100.23

Also don't forget to allow your nodes to initiate AXFR/IXFRs:

allow-axfr-ips=127.0.0.0/8,::1,2001:db8:coff::ee,192.10.2.42,203.0.113.99,2001:db8:dead::ff,198.51.100.23

Restart PowerDNS

To activate the changes:

systemctl restart pdns

If it fails, you probably didn't adjust the correct settings in the configuration above.

Further configuration

I will discuss setting up a zone and DNSSEC later, but for now, you can move on to setting up the slaves.