The PowerDNS authoritative name server is renown (and loved) for its support of a variety of database back-ends from which the server answers DNS queries. (If you’re new to PowerDNS, you might want to read about it: I have a chapter about this server in my book.)
When PowerDNS receives a DNS query, it checks the back-end database(s) you’ve configured and tries to obtain one or more records to reply to the query.
Say you’re using a relational database as a PowerDNS back-end (such as MySQL or PostgreSQL), to update your DNS data you typically use a database client (or a Web interface or custom-built utility) to perform SQL updates on your back-end database.
I suggested DNS UPDATE for PowerDNS quite a while ago, and Ruben d’Arco has taken upon himself the task of implementing support for RFC 2136 dynamic DNS updates in PowerDNS and, being a fan of dynamic DNS updates, I’ve been invited to test this new functionality. First off: it works. :-)
PowerDNS will accept a dynamic DNS update (currently from a configured
IP address), and it then updates its back-end database, inserting, updating, or
deleting database records accordingly. I modified my pdns.conf
file and added
the following statement, to enable DNS UPDATE from the specified address.
Alternatively, I can add a list of addresses on a per-domain basis to the
domainmetadata
table:
I use nsupdate
to modify the zone a.aa
on the server running on 127.0.0.1
:
PowerDNS processes the updates, and commits the result into the back-end database
(MySQL in this particular instance). Here’s what I see when I look at the records
table in the database:
and a DNS query to the server is correctly answered:
TSIG
Support for authorizing updates with TSIG keys is mostly complete. Currently (2012-06-30)
the updater’s IP address must be authorized by configuring allow-2136-from
(either
as configuration switch or in domainmetadata
) and a key must be set. Whether or not
the combined setting will remain is open for discussion; I personally think authorizing
via TSIG key is sufficient.
I create a TSIG key with, say, the BIND utility, making a note of the key name (rk01
in this particular case) and the Base-64 blob. (I’ve chosen a very short key for clarity.)
I then add both the key name and blob to the tsigkeys
table,
and associate that particular TSIG key with the domain, by adding a row to the domainmetadata
table:
Then I attempt the update, specifying the TSIG key to use, either as a filename or, like I do here, on the command line:
At the moment, Dynamic DNS support for PowerDNS is experimental, but our
friends at PowerDNS intend to merge the code into mainstream as soon as it’s ready.
I’m hoping Ruben will have the inclination to add support for TSIG updates, which
avoids having to authorize updates from a particular IP address. (TSIG support in PowerDNS was added a while back.) ( Of course SIG(0) and GSS-TSIG
would also be nice to have … :-)
Great job, Ruben; thank you and keep up the good work!