Introduction

The following guide outlines the steps required to convert an existing DNS cluster to use PowerDNS. The order of the steps is important especially if you start to use DNSSEC on any of the domains.

This procedure in this guide assumes that your DNS Cluster is configured in the same manner that is outlined in our DNS Clustering guide here: cPanel DNS Clustering Guide

Warnings

• Performing the following procedure on a DNS cluster that is set up differently from what is outlined in the above DNS Clustering guide may produce unexpected results. It is recommended that you configure your DNS cluster to match our recommendation in the guide linked above.
• You should proceed with caution and be sure that you have backups of all of your cPanel accounts before attempting the following procedure.
• Making use of the "Write Only" relationship within your cluster could result in data loss in some situations and is not recommended.

Procedure

In order to enable DNSSEC, all servers in the cluster must be using PowerDNS, including your WHM web server(s). It is not possible to use DNSSEC if you have disabled the nameserver on your WHM web server(s).

1. Convert just one of your DNSOnly servers to PowerDNS with the following guide: How to switch from BIND to PowerDNS on a cPanel Server

Both BIND and PowerDNS servers can co-exist within the same cluster without issue as long as you do not attempt to enable DNSSEC until you have converted all cluster members to PowerDNS.

2. Use the PDNS tools to verify that all zones have been loaded without error. You can learn how to do this with the following guide: How to use PowerDNS tools to find zone errors

If there are any errors, you should address those issues before moving forward.

3. Test the DNSOnly member that you have converted to verify that it will resolve all of the zones that it is configured to serve. One way of doing this would be to run the following script on the DNSOnly server to generate a list of the domains that it is configured to serve:

awk -F'"' '/zone/ {print $2}' /etc/named.conf | sed '/^\./d;/^\t*$/d;/\.*\/.*/d;/^view$/d;/^authoritative$/d;/^external$/d;/^internal$/d' | sort -u > domainList.txt

4. Copy the domainList.txt file that is generated to a different Linux server, or to your local Linux PC and run the following script to make a dig request for each domain in the list (ensure that the dig utility is installed on whichever Linux computer you attempt to use this script on).

Set a variable that holds your DNSOnly server's IP address:

DNSONLYIP=xxx.xxx.xxx.xxx

Copy and paste the following script to run it on the command line. Be sure to update the name of the domainlist.txt file in this script if it is slightly different on your computer:

echo;cat domainList.txt | while read DOMAIN;do printf "$DOMAIN -> A -> ";dig +short @$DNSONLYIP $DOMAIN;done | column -t | sed -e "1i TESTING A RECORDS AGAINST DNSONLY SERVER AT: $DNSONLYIP"

If you have trouble using these scripts, manually test each domain against your DNSOnly server that you have converted to ensure that it still resolves all of your domains.

5. If everything has worked fine so far, make an edit to one of the zones from one of your WHM servers to ensure that changes can still be synced to the PowerDNS server without issue.

6. If the edit was successfully synced to the PDNS cluster member and other BIND members without issue or error, repeat steps 1-4 for another cluster member.

7. Now that all of the DNSOnly cluster members have been converted to PDNS, Convert one of the WHM servers to PDNS and use PDNS tools to verify that there are no zones that are having trouble.

8. If all goes well, enable DNSSEC for one of the domains on the WHM server, and then configure DNSSEC at the registrar of that domain.

9. Test the domain to be sure that DNSSEC is enabled and working without issue.

10. If that has completed successfully, you are free to begin the process of enabling DNSSEC for the rest of the domains on that WHM server.

Or if you prefer, you can start the process of converting the rest of the WHM servers in the cluster to PowerDNS, then enable DNSSEC for all of the domains in the entire cluster afterward.