Skip to content


PowerDNS is used to provide authoritative DNS resolution for and, along with reverse DNS for and our IPv6 prefix (currently unused). Maths' nameserver will also respond to queries for, so AXFRs are allowed from all of

The deployment uses a PostgreSQL database for persistence and exposes PowerDNS-Admin at for record management. Once past basic auth, the credentials are root:hunter22.


We have delegeated authority over The nameservers (according to auth-ns* are:


As points to, this is the primary LoadBalancer IP that is used for PowerDNS. As points to, shoe will DNAT external DNS traffic to does not currently resolve. Maths' nameserver will perform AXFR requests to keep its copy of up to date.

For what are assumed to be legacy reasons, both IPv4 and IPv6 reverse DNS zones have different name-based NS records. Refer to the notes on A records for these in PowerDNS-Admin for more details.

This domain is registered with HostingIreland (credentials in password manager). Due to a strange issue with .ie domains, where it appears that a .ie cannot be a nameserver for another .ie domain (e.g. for to use {ns1,ns2} for its nameservers), dev has set up temporary records that point to the real Netsoc nameservers and used those instead. HEAnet should be able to resolve this (in theory).

From scratch


  1. Once everything is up and running, create a root account in PowerDNS-Admin
  2. Set the "PDNS API URL" to http://powerdns-webserver:8081
  3. Paste the API key from secrets/powerdns.yaml
  4. Enable the SOA and ALIAS record types in Settings


These steps assume there is an existing TSIG key (see the cert-manager deployment).

  1. Get a shell in the PowerDNS container
  2. Import the TSIG key:

The key should already exist in Git. To import it, first descrypt the SOPS-encrypted file:

sops -d infrastructure/cert-manager/letsencrypt/secrets/pdns-cert-manager.key

Then import it in a PowerDNS shell:

pdnsutil import-tsig-key cert-manager hmac-sha512 "THEKEY"
  1. Allow updates from the Kubernetes network with the cert-manager key (do this for each zone that will have certs generated):
pdnsutil add-meta ALLOW-DNSUPDATE-FROM ""
pdnsutil add-meta TSIG-ALLOW-DNSUPDATE "cert-manager"

Last update: 2021-08-23