This document provides an overview of PowerDNS, an open-source authoritative DNS server. It discusses PowerDNS' backends for storing zone data like BIND and SQL databases, its DNSSEC signing capabilities, and its support for remote and Lua scripting backends. It also demonstrates configuring PowerDNS to use BIND, MySQL, and remote backends. Finally, it summarizes Men & Mice's generic PowerDNS controller and upcoming training courses.

1. ©!Men!&!Mice!!http://menandmice.com!
PowerDNS
Part!1
Overview,!BIND!and!SQL!Backends,!DNSSEC!signing,!
Men!&!Mice!generic!Server!Controller!for!PowerDNS
Monday 31 August 15

2. ©!Men!&!Mice!!http://menandmice.com!
PowerDNS
•Overview!on!the!PowerDNS!DNS!Server!and!information!
on!how!to:
• manage!a!DNS!zone!via!SQL!backend
• manage!a!DNS!zone!via!BIND!backend
• remote!zone!backend
• DNSSEC!signing!with!PowerDNS
• the!Men!&!Mice!Suite!DNS!server!controller!for!PowerDNS
Monday 31 August 15

3. ©!Men!&!Mice!!http://menandmice.com!
What!is!PowerDNS
•authoritative!DNS-Server
• serves!authoritative!DNS!data
• fast!and!feature-rich
• modern!architecture
• open!source
• available!on!many!Unix(ish)!platforms
•PowerDNS-Recursor!(will!be!covered!in!a!future!webinar)
Monday 31 August 15

4. ©!Men!&!Mice!!http://menandmice.com!
What!is!PowerDNS
•produced!by!PowerDNS!B.V.
•Bert!Hubert!and!Team
•since!March!2015!part!of!OpenExchange
•Open!Source!license!(GPLv2)
Monday 31 August 15

5. ©!Men!&!Mice!!http://menandmice.com!
PowerDNS!backends
•PowerDNS!backends!store!DNS!zone!data
• Traditional!backends:!BIND,!tinydns,!MyDNS
• Database:!MySQL,!PostgreSQL,!Oracle,!SQLite,!LMDB,!
OpenDBX
• GeoIP
• LDAP
• Lua,!Remote!(JSON/RPC),!Pipe
Monday 31 August 15

6. ©!Men!&!Mice!!http://menandmice.com!
PowerDNS!backends
•backends!can!be!mixed
•order!of!backends!configured!in!the!configuration!file
•PowerDNS!queries!each!backend!in!order!until!an!answer!
is!found!or!the!list!of!backends!is!exhausted
•Caching:
•answers!found!in!an!backend!will!be!cached!in!memory
Monday 31 August 15

7. ©!Men!&!Mice!!http://menandmice.com!
Demo:BIND!backend
•this!demo!shows!how!to!configure!PowerDNS
•!to!load!DNS!zone!data!from!RFC!1035!master-zone!files
•find!zone-files!from!a!BIND!9!style!“named.conf”
•the!BIND!backend!will!only!read!zone-file!data!from!
“named.conf”,!not!any!other!configuration!(no!“options”)
Monday 31 August 15

8. ©!Men!&!Mice!!http://menandmice.com!
Demo:!MySQL!backend
•this!demo!shows!how!to!configure!PowerDNS
•!to!load!DNS!zone!data!from!an!MySQL!database
•import!a!zone!in!RFC!1035!master-file!format!into!
PowerDNS!MySQL!backend
Monday 31 August 15

9. ©!Men!&!Mice!!http://menandmice.com!
Demo:!Remote!backend
•this!demo!shows!how!to!configure!PowerDNS
• !to!query!DNS!data!from!an!remote!backend!server!via!JSON/RPC
• Remote!Backend!supports
• Unix!Pipe
• Unix!Sockets
• HTTP-Connection
• ZeroMQ
Monday 31 August 15

10. ©!Men!&!Mice!!http://menandmice.com!
DNSSEC
•PowerDNS!has!a!full!DNSSEC!implementation
•DNSSEC!zone!signer
•key!management
•export/import!of!DNSSEC!keys
•simple!but!powerful!command!line!interface
Monday 31 August 15

11. ©!Men!&!Mice!!http://menandmice.com!
DNSSEC!NSEC3!“narrow”!mode
•DNSSEC!uses!NSEC3!records!to!provide!“authenticated!denial!of!
existence”
• proof!for!DNS!information!that!does!not!exist!
(NODATA!and!NXDOMAIN)
• NSEC!records!allow!zone!walking,!NSEC3!was!created!to!solve!the!
issue
• traditional!NSEC3!signing!uses!hashes!and!makes!zone!walking!hard,!
but!not!impossible
• PowerDNS!NSEC3!“narrow”!prevents!zone!walking
Monday 31 August 15

12. ©!Men!&!Mice!!http://menandmice.com!
NSEC
example.com. 3600 IN SOA ...
example.com. 3600 IN NS ...
a.example.com. 3600 IN A 192.0.2.1
d.example.com. 3600 IN A 192.0.2.2
g.example.com. 3600 IN A 192.0.2.3
example.com. 3600 IN SOA ...
example.com. 3600 IN NS ...
example.com. 3600 IN NSEC a.example.com. SOA NS NSEC
a.example.com. 3600 IN A 192.0.2.1
a.example.com. 3600 IN NSEC d.example.com. A NSEC
d.example.com. 3600 IN A 192.0.2.2
d.example.com. 3600 IN NSEC g.example.com. A NSEC
g.example.com. 3600 IN A 192.0.2.3
g.example.com. 3600 IN NSEC example.com. A NSEC
Monday 31 August 15

13. ©!Men!&!Mice!!http://menandmice.com!
NSEC3
example.com. 3600 IN SOA ...
example.com. 3600 IN NS ...
a.example.com. 3600 IN A 192.0.2.1
d.example.com. 3600 IN A 192.0.2.2
g.example.com. 3600 IN A 192.0.2.3
example.com. 3600 IN SOA ...
example.com. 3600 IN NS ...
example.com. 3600 IN NSEC a.example.com. SOA NS NSEC
a.example.com. 3600 IN A 192.0.2.1
hash(a.example.com.) 3600 IN NSEC3 hash(d.example.com). ...
d.example.com. 3600 IN A 192.0.2.2
hash(d.example.com.) 3600 IN NSEC3 hash(g.example.com.) ...
g.example.com. 3600 IN A 192.0.2.3
hash(g.example.com.) 3600 IN NSEC3 hash(example.com.) ...
Monday 31 August 15

14. ©!Men!&!Mice!!http://menandmice,com!
% dig b.example.com a +dnssec +m
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2887
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
[..]
;; AUTHORITY SECTION:
example.com. 282 IN SOA ns.example.com. hostmaster.example.com. (
2014051176 ; serial [...]
)
example.com. 282 IN RRSIG SOA 8 2 300 (
20150928042215 20150829032215 23244 example.com.
0VGDuKP1/b6XpaKkckHwp+LWXm7BgzUJ3CV7JFpS9WZp
gsedpIzliQn5IIpxOyaK4z4E6v5r23TizA== )
9MEDN0AJ921I1HB0J9LTG5IFTGV32HQ0.example.com. 282 IN NSEC3 1 0 150 D407600606CC5026 (
9MEDN0AJ921I1HB0J9LTG5IFTGV32HQ2
A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
)
9MEDN0AJ921I1HB0J9LTG5IFTGV15HQ0.example.com. 282 IN RRSIG NSEC3 8 3 300 (
20150926212215 20150827211012 23244 example.com.
woQjIEfIsWSB+5G5SH0GOVipkHEksuP94hg2URf88sXb
L7ov6pp4RIroLSrTO5xeQjGWbVdFZQKh/A== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 31 11:37:31 CEST 2015
;; MSG SIZE rcvd: 809
SOA
RRSIG!
(Signature)!for!
SOA
hash(a.example.com) hash(c.example.com)
NSEC3!+!narrow!mode
Monday 31 August 15

15. ©!Men!&!Mice!!http://menandmice.com!
NSEC/NSEC3!mode!usage
•when!to!use!NSEC!or!NSEC3!or!NSEC3!narrow-mode:
• NSEC:!simple!zones,!zones!with!predictable!content,!zones!with!
non-sensitive!data
• NSEC3:!zones!where!changes!to!the!content!needs!to!be!protected!
for!some!weeks
• NSEC3+narrow:!zones!with!sensitive!content!(e.g.!OPENPGPKEY/
SMIMEA!mail!addresses!etc)
• NSEC3+narrow!requires!“live-signing”,!the!DNSSEC!keys!must!be!present!
on!every!authoritative!server!
Monday 31 August 15

16. ©!Men!&!Mice!!http://menandmice.com!
Demo:!
DNSSEC!signing!and!NSEC3!narrow!mode
•will!sign!the!BIND-style!backend!zone
•create!DNSSEC!keys
•sign!the!zone
•set!NSEC3!narrow!mode
Monday 31 August 15

17. ©!Men!&!Mice!!http://menandmice.com!
Men!&!Mice!Suite!PowerDNS!support
•the!Men!&!Mice!Suite!DNS!module!has!support!for!
PowerDNS
•via!the!generic!(python)!DNS!controller
•Support!for!MySQL!backend
• generic!DNS-Controller!can!be!adapted!to!serve!other!backends!
(Python!skills!required)
• Feedback!welcome
Monday 31 August 15

18. ©!Men!&!Mice!!http://menandmice.com!
Demo:!Men!&!Mice!Suite!PowerDNS!
integration
•will!show
•installation!of!the!Men!&!Mice!generic!DNS!controller!for!
PowerDNS
•management!of!DNS!Data!on!an!PowerDNS!instance!from!
the!Men!&!Mice!Suite
Monday 31 August 15

19. ©!Men!&!Mice!!http://menandmice.com!
Upcoming!trainings!(English)
•September!28!–!29,!2015!-!Introduction!to!DNS!&!
BIND!Hands!on!-!Arlington!(VA),!USA!(confirmed)
•September!28!–!October!2,!2015!-!Introduction!&!
Advanced!DNS!and!BIND!Hands!on,!Arlington!(VA),!
USA!(confirmed)
Monday 31 August 15

20. ©!Men!&!Mice!!http://menandmice.com!
Upcoming!trainings!(German)
•19.!–!21.!October!2015!-!DHCP!Workshop!-!Essen,!
Deutschland
•26.!–!28.!October!2015!-!DNS!und!BIND!–!Die!Grundlagen!
des!Domain!Name!Systems!-!Essen,!Deutschland!(confirmed)
•26.!–!30.!October!2015!-!“DNS!und!Bind”!und!“DNS!
Security!&!DNSSEC”!-!Essen,!Deutschland!(confirmed)
•29.!–!30.!October!2015!-!DNS!Security!&!DNSSEC!-!Essen,!
Deutschland!(confirmed)
Monday 31 August 15

21. ©!Men!&!Mice!!http://menandmice.com!
Upcoming!webinars
• PowerDNS!part!2!-!Master/Slave!and!Supermaster,!Lua-Scripting-
Engine,!HTTP-API,!Tools!-!17th!Sep!2015
• keeping!DNS!server!up-and-running!with!“runit”
• DNSTAP!-!have!a!deep!look!into!DNS!server!operations!(featuring!
Unbound!and!Knot-DNS)
• the!DNS!server!in!Windows!2016!Server!-!a!big!leap!forward!(views,!
response!rate!limiting,!ACLs!and!more)
• an!Update!on!DNSSEC!and!DANE:!new!implementations,!adoption!in!
the!market,!new!Internet!standards
Monday 31 August 15

22. ©!Men!&!Mice!!http://menandmice.com!
Q/A
?
Monday 31 August 15