Configuring the front-end slaves

This is a continuation of my initial articles on setting up authoritive nameservers and setting up the hidden (signing) master. It assumes you have set up the master already.

Enabling slave-mode, disabling master-mode

Edit the initial /etc/powerdns/pdns.d/pdns.local.conf we created on the master, and expand (and adjust where needed) it with:

slave=yes
master=no

Setting a supermaster.

Open your MySQL-prompt:

mysql --defaults-extra-file=/etc/mysql/debian.cnf powerdns

And add your master to the supermasters-table. Replace the IP-address 203.0.113.1 with the IP-address of your master (IPv4 or IPv6, depending on where the NOTIFY is coming in from!), and replace the name with the name of the slave you're currently configuring:

INSERT INTO supermasters (ip, nameserver) VALUES ('203.0.113.1', 'ns2.example.com');

Now, when your master sends a NOTIFY to this slave for a domain it does not know yet, the slave will automatically add the new zone to its database. No questions asked.

Note: If you remove a zone from the master, it is not automatically cleaned up from the slaves. You will have to figure something out yourself for that.

Restart PowerDNS

To activate the changes:

systemctl restart pdns

If it fails, you probably didn't adjust the correct settings in the configuration above.

Further configuration

You can now set up DNSSEC on the master or start creating your first zones.