Jan-Philipp Litza

My DNS setup with PowerDNS 30. December 2018

I recently overhauled my DNS setup (recursive for my home network and authoritative for my domains), so why not blog about it?

Let’s start with the requirements, which are kind of special. I host all my stuff at home behind a DSL line, and while I have a VPN with a static IP address as well, I don’t want to tunnel everything through it. Thus, I need dynamically updatable DNS records for almost everything.

Furthermore, I want my home network to be able to resolve my domains even when the internet connection is broken (or stated differently: I don’t want the requests to hit the internet).

Hence, I’m need a combined recursive and authoritative server. The recursive part, however, has some quirks of its own: I want to be able to resolve non-standard community-TLDs like .dn42 in the VPN-based overlay networks I’m part of. But at the same time, I want the “usual” DNS to be DNSSEC-validated. Together, this requires the ability to have so called “negative trust anchors”, or NTAs for short. They state that some part of the DNS must not be DNSSEC-validate, come whatever may. Otherwise, I could advise the DNS recursor to look for .dn42 at 172.23.0.53, but it would refuse to answer any requests for it because the DNSSEC-signed root zone says there no .dn42.

Previously, I was using bind for the authoritative part. But because bind is incapable of having configurable NTAs1, it used unbound as recursor. This was kind of cumbersome and involved every request passing through two daemons with two caches. I chose bind because it was (and AFAIK still is) the only software that is able to DNSSEC-sign zones if it only has the ZSK, not the KSK, which I only had on my laptop. However, as my laptop is now backed up on my home server anyway, I got rid of this level of paranoia and looked at other software again.

In other contexts I very successfully used PowerDNS, and hence I set forth to replace the legacy combination with a nice pdns and pdns_recursor. And indeed: It works like a charm!

What’s more, there’s hardly anything interesting about the config that I could mention here: It just works!™ Okay, it’s a bit more than that. Especially that much of what I considered configuration takes place in the database. But nothing I had to do was out of the ordinary, and I found everything I needed in the extremely good documentation. Compare that to bind, where every documentation is incomprehensible or incomplete.

And on the way, I got some nice tools like pdnsutil edit-zone. Hooray!

  1. In newer versions you can inject them during runtime, but they aren’t preserved across restarts.